Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 13:39
Behavioral task
behavioral1
Sample
2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
-
Size
4.1MB
-
MD5
5b9e5a89eb6c7826167c719c5467aa64
-
SHA1
9826337e2b30831871cde19d23c30d6f2b679756
-
SHA256
42e2feeb098bd035ccbd01d5bd59d6bdf3af9779d445e70085750479592d7376
-
SHA512
45f9d4f90617d7b233cae22ef484f6d4834eb4d3c17c46568f12901df86179c6be3c2220eb00eee5d46c25adf4abe5c9e619e009198249d0ab5237ec4e818a12
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4U:ieF+iIAEl1JPz212IhzL+Bzz3dw/VWey
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 8 IoCs
resource yara_rule behavioral1/files/0x0003000000022a56-4.dat family_gofing behavioral1/files/0x0002000000021eff-5472.dat family_gofing behavioral1/files/0x0002000000021f38-5481.dat family_gofing behavioral1/files/0x0002000000022773-5821.dat family_gofing behavioral1/files/0x0002000000022784-5822.dat family_gofing behavioral1/files/0x0002000000022772-5820.dat family_gofing behavioral1/files/0x000800000001e4de-5819.dat family_gofing behavioral1/files/0x000400000001e2f0-5818.dat family_gofing -
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\gm.dls 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wintrust.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Loads dropped DLL 42 IoCs
pid Process 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\Users\Admin\Searches\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Contacts\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Music\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Videos\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Music\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Desktop\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Links\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Saved Games\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\AccountPictures\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Desktop\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\3D Objects\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\Links\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Libraries\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\F12\DiagnosticsHub.ScriptedSandboxPlugin.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\storagewmi_passthru.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\ja-JP\htable.xsl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WorkFoldersRes.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cmifw.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\dot3dlg.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\regedit.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\en-US\mstscax.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Com\fr-FR\comrepl.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\mapi32.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\it-IT\ServiceModel35.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDIULAT.DLL 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\catsrvut.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\uk-UA\StorageContextHandler.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\uk-UA\isoburn.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\w32tm.exe 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KeyCredMgr.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\InkObjCore.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\provplatformdesktop.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\iasrad.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\sendmail.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\version.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wiascanprofiles.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\PlayToReceiver.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\SysWOW64\icuin.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\it-IT\PS_MMAgent.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\XInputUap.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\qdvd.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\hgcpl.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\wmp.mof 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\occache.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\uniplat.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\netnccim_uninstall.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.types.ps1xml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\WsmRes.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\fr-FR\netttcim.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\CompositeResourceHelper.psm1 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\PSDSCxMachine.strings.psd1 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Dism\IntlProvider.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Keywords\ti_cnn_zh-CN.table 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\PresentationHost.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ntvdm64.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\PhotoMetadataHandler.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Windows.AccountsControl.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\pl-PL\quickassist.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\ServiceModel35.mfl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\AcSpecfc.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\Windows.Gaming.Input.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\twinapi.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\AgentWmi.mof 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\FunDisc.mof 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\ieunatt.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\compmgmt.msc 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\netdiagfx.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Recovery\ReAgent.xml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cs-CZ\SyncRes.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\adrclient.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wshhyperv.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\schedsvc.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\InitiatorPort.cdxml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\dot3gpui.dll.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\ja-JP\csv.xsl 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Windows.Media.FaceAnalysis.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Windows.UI.Xaml.Maps.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\System\mfc140enu.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipres.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_quz.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-200.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUIStyles.xaml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-100.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sr.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Medium.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-80_altform-unplated_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_altform-unplated_contrast-white.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\resources.pri 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-black.png 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationProvider.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\delegatedWebFeatures.sccd.DATA 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Analytics 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.rsp 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Dtc.PowerShell.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.Dtc.PowerShell.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PLA\Reports\ja-JP\Report.System.Wired.xml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\SharedFolders.admx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\SMSvcHost 3.0.0.0\0411\_SMSvcHostPerfCounters_D.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\rtux64w10.inf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech\Engines\TTS\en-US\MSTTSLocEnUS.dat 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\.NET Memory Cache 4.0\netmemorycache.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Alarm09.wav 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.es.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\it\EdmGen.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Core.Presentation.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Activities.Core.Presentation.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\es-ES\DeviceSetup.adml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\WindowsFileProtection.adml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\ssee1255.fon 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\SqlPersistenceService_Logic.sql 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.es.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\SR\it-IT-N\c1040.fe 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.Design.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.ServiceModel.Internals.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\PushToInstall.adml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\icon.ico 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\town.mid 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Configuration.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Boot\PCAT\tr-TR\memtest.exe.mui 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Help\mui\0411\sqlsoldb.chm 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\hdaudio.PNF 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\iaLPSS2i_GPIO2_GLK.inf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140.dll_x64 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\opera.browser 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.EnterpriseServices.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\es\Microsoft.Data.Entity.Build.Tasks.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\GoBack_48000Hz.raw 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.ja.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.ja.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\Microsoft.CSharp.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.TraceSource.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\TaskScheduler.adml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\DiagTrack\RemoteAggregatorTriggerCriteria.dat 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\seguisli.ttf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\.NET CLR Networking 4.0.0.0\0411\_Networkingperfcounters_d.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.fr.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Workflow.Runtime.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0411\_ServiceModelEndpointPerfCounters_D.ini 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\mdmaiwa4.inf 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PDDom.api_NON_OPT 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Data.Services.Design.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\PowerShellExecutionPolicy.admx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Abstractions.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.ja.resx 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PLA\Rules\en-US\Rules.System.Disk.xml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\de-DE\DnsClient.adml 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{31350404-77AC-4471-B33A-9020A2EDA1D1}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "910" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1041" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "966" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" SearchApp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4368 SearchApp.exe 2132 SearchApp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3540
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4368
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2132
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5d63843be3b7eb1c0e9c2f797ce6414a7
SHA1cf2253d7d63731496b5ab22b4469a874f9e9334a
SHA2565ed9e86468279060f2031e1142b55af88d06c7fe08d4c30194f6100e6812625e
SHA512e21a13d01a6a88c0c3312e6e39cde3e844dba80efb5311d6a1e64751b1086c0486bd9ef37509c57568775a21504266644f373cd28958ecd83aa6fcabd174613c
-
Filesize
4.4MB
MD5b5c330b48cd86305e4608e8bbdb22405
SHA18d66fcd8ea478b62ae08d8a3b9cf0919362f167e
SHA2569f4c0af8fe986def4578d4f6809e90f2b4b34fc19cf954ad2aafbe89b29e4abc
SHA512786f8300f5fbb81d220845f329ba944967277f5a8269019852be13975d5a236fb3bfb7a7066cd6100057be9809c50ff802c466fb2edc52d52bfde86136f5314c
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize5.8MB
MD5920865b6ee3d9d19d0f999f9e6cf6dfa
SHA1913658e599d0b47050f67d6f47360e7be138d818
SHA2565241a0dea78f1001112ca2e909816b35b048544fd5fd3887eaa85531a6984456
SHA5120e0c37e3f2d6985239a3932312ae495e6aaaa160493e6c3725cd09b0d3daf84f31568bbb6d43f9113b71f3d078b840c0a83d4a7155c694945928cdc03c51fa02
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\49DDX0WX\microsoft.windows[1].xml
Filesize97B
MD588df8fd15df82aa8d53ca7e174dfa66c
SHA15ecc316c8a22b09f8f64f7c67efe4a0468f07c17
SHA256474966fc1c140c583fdaa26a057798ba409db75d41bd7fab23f2e88c775ae682
SHA512185a748bc1b3633739aed35a6a7e5ab850b5f59b4e37a343ace6c1440452e93a3c1a03cc8cfab0668c7a1d2e5d84613788abee116f9b769cf1240b13d57f8f42
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
Filesize2KB
MD58e86cc897eefa3efe721338455517ce7
SHA1416d74aec53ac33ffa31aa15ddfa3f37b6772ebd
SHA256c3e2f9e1319c325a4cee0c1e8066610693d9055c3bcd69d13dd205e64c698828
SHA512f3ae8acec692ee1e04825572cc82ad11952a4108026fed1c05feebc659984fe7185e1826c171699eb789c5803155e5ac9d2d4ca35d3e0432c601e032d0aa4640
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921357060202460.txt
Filesize14KB
MD5b9a3570135c6cdac61e23a655424bb81
SHA1b25c823b867b820fa34e0d61892c99af1b3db241
SHA256e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA51273f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize11KB
MD5104f81dd974ee6cff12ac932f403f610
SHA19c5f77a499a2f193f21b61122bc6c297c04787d4
SHA256a255d75f49b42239950fab22206ec9eb2ddf2e9acca3eef2283d899ef6422cba
SHA512abd54847718f2c81372788838c511a85b57b68a1443ae8409f49a1554edaa45badcad1143119ea367c20f52084a05e2af3cc51596932f99e89879a2b9692c7f6
-
Filesize
4.3MB
MD5016c2527ac512fc9df181b60cc44e225
SHA1bd7615a0ed811eae178f3d82b8616fdd4e6d5319
SHA25651bec63c3cede56d9a1c246a51d7b31fd438c52ac34117bbdde3325ac0c28bdb
SHA5120c0c62e93a271e2ac65d77f3dc4409213a6678ff8c1d4c05e031864d2ae0f2eb12e6acb785691f477ae69bdbbf090246023dd92bf3e409fa77661978fd4168bc
-
Filesize
4.3MB
MD5576a08d7c69df02f3dd2157298188c94
SHA111a42e049f239be21c034c7b9272cb7fb29dc367
SHA256f296e29a88b7031620f85690667deb9eb60da1632af27478a0d99b5d2fc352af
SHA5129beae9e8e327af18ce9df58bec30e2e4c21fb413734c85866f72cad7f6a67036b85b8e56611001cc3c32815aabdf1c75b1e502bec17ea52325cc4502a4f54633
-
Filesize
4.2MB
MD5877f4ff55df1279859a915784e9c1494
SHA130b03e3dac3f57a0b376c465ca94991ffe052746
SHA25646b345683ee524fbac5d47c7bf8e88b2c9cf899bf0045252d00df8224b725bd8
SHA5128c77127a73246346e0f2240655ac6de7905e28457b65449448e24b71ce9368d7a55731933102b75c74282b6ef69a9f821c3c281ce54699a77fbd3749656baed6
-
Filesize
4.3MB
MD5423978fb826c3fc0c41db0fba4ff454e
SHA109d9ac847811fe226552c58ec5ed93b092f2c79b
SHA2563a3e00d087237d33ccce31f5cd256e939c210250ebe153ffd140aef3bf3bbfd3
SHA512fbdd99c17ca49b6908cee7386e7c76b5916304a91ecd2bc8f9be57747a3bc44a651f957f61e7353ea74435463ad23908744ee922ac40adc9c8c6c79230772ab3
-
Filesize
4.2MB
MD56c9652ed58486ed708ec83779d14d245
SHA1e93d86dc4c1d0485723b0367321fb93c9d4dbf21
SHA256cc65d30034e37d0d5d68a84016e9fd28da699c372d9b2514098883d8440a2668
SHA5124747a82d74dace44e3ce45c179838a1cc245d7aeefa7d7079ed45207d35086eb331d0c7601175a7b21925ef99b85554dc3137d2f0ab274e5a52c300c71d881e7