gofing | b4c1cd4873af0800223bdbf9078f4c24b0fa8e73cf610aa8a2714bac585edcee

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.1MB
MD5

bbcc82fb7375c8531b68398378b00cb5
SHA1

e2afc960fbb81168d13ddf15732fdd685db71847
SHA256

b4c1cd4873af0800223bdbf9078f4c24b0fa8e73cf610aa8a2714bac585edcee
SHA512

15c6cdc722e8885bbf6fb0d351b5eb8e4e4a0a74fba4082c9294efdcfdf19bed7c808e97841e80aeadf1c311429ee2f3102a511bec8741a6bb0115cc060535bf
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4q:ieF+iIAEl1JPz212IhzL+Bzz3dw/VA

Score

10^/10

gofing credential_access discovery ransomware spyware stealer

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 8 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022a7d-4.dat	family_gofing
behavioral1/files/0x0002000000021ce1-5435.dat	family_gofing
behavioral1/files/0x000200000002279d-5823.dat	family_gofing
behavioral1/files/0x000200000002279c-5822.dat	family_gofing
behavioral1/files/0x00020000000227ac-5825.dat	family_gofing
behavioral1/files/0x000200000002279b-5821.dat	family_gofing
behavioral1/files/0x000200000002279a-5820.dat	family_gofing
behavioral1/files/0x0002000000022799-5819.dat	family_gofing

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\gm.dls	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\afunix.sys	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Manipulates Digital Signatures 3 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wintrust.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Loads dropped DLL 54 IoCs

pid	Process
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Downloaded Program Files\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Links\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Documents\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Desktop\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Documents\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Desktop\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Libraries\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Videos\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Offline Web Pages\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Downloads\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Searches\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Videos\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Music\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\TestDtc.psd1	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\sl-SI\quickassist.exe.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package-onecoreuap-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\mgtdyn.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\termmou.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\en-US\iexpress.exe.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\sxs.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-21h2-EKB-Wrapper-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\SvBannerBackground.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\en-US\csrss.exe.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\security.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b\c_magneticstripereader.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmChipset-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort_v1.0.cdxml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WalletProxy.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\es\Microsoft.Dism.Powershell.Resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\osuninst.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\ChtQuickDS.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_fd0ae947345ac7bf\hal.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ARP.EXE	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\fr-FR\AudioEndpoint.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCacheClientSettingData.cdxml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\adsnt.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\es-ES\WSDScDrv.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Speech_OneCore\common\it-IT\Tokens_VoiceActivation_it-IT.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\it\Microsoft.AppV.AppvClientComConsumer.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\dsparse.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Dism\es-ES\VhdProvider.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\de-DE\netvwifimp.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\fr-FR\netevbda.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\LSCSHostPolicy.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-9-ul-oob-rtm.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_5b5f11128afa2611\mdmmoto1.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\KBDIT.DLL	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wbem\WdacWmiProv.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Dism\it-IT\IntlProvider.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\en-US\volmgr.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\es-ES\AudioEndpoint.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\rtvdevx64.INF_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnjobs.vbs	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\it-IT\WinSATAPI.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\netnwifi.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Startupscan.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\MSFT_RegistryResource.strings.psd1	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbConnection.cdxml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Legacy-Components-OC-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\it-IT\IntelTA.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\InputMethod\SHARED\ImeSystrayMenu.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\de-DE\srmshell.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ja-JP\bootcfg.exe.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\msdelta.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wbem\it-IT\mispace_uninstall.mfl	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\it-IT\hidvhf.inf_loc	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\mof.xsl	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xeccf.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-high.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\PRNDMediaSource.winmd	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-200_contrast-white.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\kok.pak.DATA	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nb.pak	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\canary.identity_helper.exe.manifest	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.UnmanagedMemoryStream.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-200.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_WorriedEye.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_move_18.svg	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\mt.pak.DATA	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ca.pak	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Edit.AppTk.SceneGraph.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\133.0.3065.69.manifest	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mk.pak	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CommunityInterop.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\LocationProviderAdm.adml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Windows\Fonts\fms_metadata.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\hdaudss.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.ja.resx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Extensions.Design.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.es.resx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.resx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Provisioning\Packages\Power.Settings.Disk.ppkg	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\L2Schemas\WWAN_profile_v2.xsd	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Text.Encoding.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Web.ApplicationServices.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Management.Instrumentation.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Boot\Fonts\meiryon_boot.ttf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TrackedSend.aapp	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.EnterpriseServices.Resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.es.resx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild\Microsoft.Build.Core.xsd	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Numerics.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Panther\setuperr.log	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7es.lex	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.UI.Xaml.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Runtime.WindowsRuntime.UI.Xaml.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\de-DE\WindowsFileProtection.adml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.Resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\Microsoft.WindowsSearch.Commands.Resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\wsearchidxpi\040C\idxcntrs.ini	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\fr\MSBuild.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\mscorees.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\Microsoft.Build.Engine.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\Help.adml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\AutoPlay.adml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\de-DE\M1031Stefan.BEP	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Workflow.Activities.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.DirectoryServices.Protocols.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.ja.resx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\Sensors.adml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mausbhost.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Data.Services.Design.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Net.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\WordWheel.admx	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\Fonts\GlobalSansSerif.CompositeFont	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es-ES\ServiceModelInstallRC.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\wpfgfx_v0300.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Xml.Linq.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Rules\Rules.System.Network.xml	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mdmjf56e.inf	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\wvmgid.PNF	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Web.Entity.Design.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Routing.resources.dll	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\goAmerica.browser	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\Microsoft.Windows.ApplicationServer.Applications.dll.mui	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\enUS.Name.dat	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\ega80866.fon	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ImmersiveControlPanel\images\logo.contrast-white_scale-400.png	2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "844"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "È stata selezionata la voce predefinita %1."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\MSTTSLocesES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "867"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4552	SearchApp.exe
5444	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_bbcc82fb7375c8531b68398378b00cb5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
5.9MB

MD5
09b221a24eb847bd9baeb48863acd728

SHA1
64f65e4932208e1f3ee69af9d9e9392b820b3322

SHA256
84073fc8df844578cfabee985389ca06c43059692f441b498d297cfcbdbe6b66

SHA512
86294911a4e7bc05a29b78462c3e61797db40d02c2eac1d64fe6fb46cd71a8af1d52645287e404106eb3db84806f85a935d328615cbfb4d7574bac549a6b611c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
ed105a3b25a4f3f39cdc3bd55c0070a8

SHA1
a4c7926f41c92fa60621e0e4428748a6d1de36b7

SHA256
3e49bbaf2bab65f51405b8d6257b7ceaddac038559d7d9f0e51de01616753d04

SHA512
7a6a56289bda31d67a36e642358eeb6be11b4ade1d0c83b2c0e587347f19abbc125d2ea18544f4afd69db941b97a6ad21b6cd2e445b1015d063ac1307b2de916

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DE8CY514\microsoft.windows[1].xml

Filesize
97B

MD5
fc956db2851ef12da68d2c9ff8aa5f1d

SHA1
5978b893499ab9db347cec91dbed08b5fb3b37d0

SHA256
6a8571f980a5f1c6a9dfe314f4fe5db0d21abffd720246d31e7ba256bee6ea86

SHA512
5e4c74cdf403857698486cd635fe20c73c7f783596e7afe2344e17ef40f14f8fb7ca66b85f747f0c8cc7cf6a7648b4a04a3b7cdc60122a4da11da4502058c8ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

Filesize
2KB

MD5
b84bcf1623f87a3a13faa40a5125c14b

SHA1
6b9e33494dde55d1e3c6d61c3022a63f46c2d7ca

SHA256
616fe3672a6e8c45ef8f8bc487cd0538ff6605f3d0cf2de07502b3e534ec5a26

SHA512
7e4c965ae2ec4c8f067fa0e2e95ece436be607e66acf00c54e0de6ca6c8ceec230b9427aa0397de4e868821b899986c57287c8112e5402f6fa130e9b68c5ab8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882049918643506.txt

Filesize
26KB

MD5
d2655ca9678bfda8467f7fa4905b4d24

SHA1
e0ccecd2719c42ed967d9fc2b4ed2ab30bafd378

SHA256
e2e1aea3ce75e5e1597c8928123bbf4679c86a71ed0a5edee110ddb9f29eff20

SHA512
36b6fbaaa1b6725261caf6694aed5c44a633de2fd09dee76a633a40f7830dd6231c316b5c93f7d93f34cca48713e3a416ec8cb4333e155c05e1489d8086803ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882049959088113.txt

Filesize
14KB

MD5
b9a3570135c6cdac61e23a655424bb81

SHA1
b25c823b867b820fa34e0d61892c99af1b3db241

SHA256
e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

SHA512
73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
12KB

MD5
1e3bcae962f769dc414086518f6cd813

SHA1
7ecd07c3fda50cecce9cfc719d5ef2a10604ccfb

SHA256
26fff0760d9971df18b776e4a621aaca560f35f569625af3b51fb4b82733e15b

SHA512
05b1d0e50360b0523f02579c78613aa76b09858b09d1dbef2ac8dfe64ae9051c66b11a950f906a3d3d541786e543edaeb7457de556c5f9693bba011fd63f057a

Download Submit
C:\WINDOWS\FONTS\ANTQUAB.TTF

Filesize
4.3MB

MD5
edc9800790c2875b165e67ac43ffc054

SHA1
dbb66fdf23aa544ca859b5e5a9fde6f2e2fe865c

SHA256
5006995e01647492ec7b926d102916a0d6457a9ba361b7b22bdeff28068ce303

SHA512
cf535ca73a8af601fdbceb0e5cff371515fafbae3baa57fd37e260cc653c616ed46add3e088af22f5b37975cda91710472b23ffdc7b5fd7af00e7ac270a16df6

Download Submit
C:\WINDOWS\FONTS\ANTQUABI.TTF

Filesize
4.3MB

MD5
6605fbabf0f16035ad1a33f084e114f5

SHA1
1f54a643ebfa0fa9931f2782222e3cbd3d029635

SHA256
4f24489911ad3256955f431a74b0189a8ce6c93df8a1cb49125121ddfa69af39

SHA512
a727d55a984be66ec5a0f1657a98f0d84722eefd2241b184b17c308d64e0e0af23a3bcffdbc7eb9c2d8dfef6bb8eb3eef9b2875ecc3381ebd17145dbdad4b87f

Download Submit
C:\WINDOWS\FONTS\ANTQUAI.TTF

Filesize
4.2MB

MD5
81b88a4c64e70d2a796b59e46417a556

SHA1
09808869cb8cb2bc0d919c4c6053f9affef73ae2

SHA256
35c104feecbd4bfa37ab036824d9f88018e641e0dde3cde387c9948cfeb79bef

SHA512
9d937811cccc096215635dc9e1943b143aacaaf135f987f72fa0e80055fbaaf310dc9801584f1551b8e3380391afb4c5319cbf0229bd304afbe045ecfeee54ad

Download Submit
C:\WINDOWS\FONTS\ARIALN.TTF

Filesize
4.3MB

MD5
793e75e1dc7190b13998b484dd16abf7

SHA1
0e93cf1aff409dcc540797ac805c90e9ae723a98

SHA256
917791181d4058bfcf573172d917bcb9f1752f2185de97164332d5e0298978dd

SHA512
8913e405feb118b44f4a2fd8830056b6f3ba79397881326e6a81de19ed23bb0536f4743db306246cc4762c36218c6c0135edf69afa6a4ce5d92170d39349946d

Download Submit
C:\WINDOWS\FONTS\ARIALNB.TTF

Filesize
4.3MB

MD5
b179dcf5b8e85a44c35d2d120d1ff44d

SHA1
d7b60917d0c124c64d007bcae5c818b86d07fcac

SHA256
1742f2ffd2571faef4d5ca4cef3e2703a1fc19c949a3d9d540754bbc54207f31

SHA512
e115e8c2b6f3510b34f2532d1259b508d8bb5359f4a17a32454715d9de9cbecff24c84b9a9b79340566b6214b4ee475ef219c5e261c5f6092ab257ab73a86e81

Download Submit
C:\WINDOWS\FONTS\DUBAI-REGULAR.TTF

Filesize
4.3MB

MD5
b96f6435f92ec6863f299aef7f9bfe29

SHA1
92fa7ef320f28bca222e57ddfe243e95f62f2177

SHA256
e68b1a1b71767fe58441a003544017b7508750fc5956ec76362d16d280b0ecfb

SHA512
41fb19dd786d7b9408c21ace617646ef1cb1e8473fe01c617a30ff5294c9a0352bcc4f21ffc9dcb087b7d7299bac9278415a7381860279e8cf0c75de724ef812

Download Submit
memory/4552-5785-0x0000019247DD0000-0x0000019247DF0000-memory.dmp

Filesize
128KB

Download
memory/4552-5786-0x0000019247860000-0x0000019247880000-memory.dmp

Filesize
128KB

Download
memory/4552-5772-0x0000019246D00000-0x0000019246E00000-memory.dmp

Filesize
1024KB

Download
memory/4552-5777-0x0000019A49020000-0x0000019A49040000-memory.dmp

Filesize
128KB

Download
memory/4552-5770-0x0000019246D00000-0x0000019246E00000-memory.dmp

Filesize
1024KB

Download
memory/5444-5833-0x000001F70FD00000-0x000001F70FE00000-memory.dmp

Filesize
1024KB

Download
memory/5444-5837-0x000001F711780000-0x000001F7117A0000-memory.dmp

Filesize
128KB

Download
memory/5444-5861-0x000001F711B50000-0x000001F711B70000-memory.dmp

Filesize
128KB

Download
memory/5444-5855-0x000001F711740000-0x000001F711760000-memory.dmp

Filesize
128KB

Download
memory/5444-5832-0x000001F70FD00000-0x000001F70FE00000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads