Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 14:25
Behavioral task
behavioral1
Sample
2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
-
Size
4.2MB
-
MD5
9683dda5462f983c35536907ab248964
-
SHA1
183fbb7d9b518a720e4ecfc8a5870c66841997f9
-
SHA256
de5cde8382551f355f84b439277bd0c7c929f8d60669a21de6c5346853948037
-
SHA512
c638f7edd816ad43989e657bad82a4f5760f20cbbd954d6695788d3b269acb1ee6c8a8c74d7b26335035b0675ece909bc52a8121dbfa0e41ea2947de0de0f2a2
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q42:ieF+iIAEl1JPz212IhzL+Bzz3dw/V0
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
resource yara_rule behavioral1/files/0x0003000000022a64-4.dat family_gofing behavioral1/files/0x0002000000021e18-5434.dat family_gofing behavioral1/files/0x000200000002192a-5447.dat family_gofing -
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gm.dls 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wintrust.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Loads dropped DLL 64 IoCs
pid Process 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Pictures\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Links\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Offline Web Pages\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Desktop\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Downloads\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Videos\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\3D Objects\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Saved Games\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Documents\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\Links\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Desktop\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Music\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\netlogon.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Tools-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ArchiveProvider.psd1 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\PSDesiredStateConfiguration.Resource.psd1 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mfc100cht.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\ARP.EXE 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\AzureSettingSyncProvider.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WinMetadata\Windows.Storage.winmd 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\NetworkItemFactory.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\charmap.exe.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ErrorDetails.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\IME\SHARED\res\padrs411.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\msxml6r.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\winmm.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_19_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.schema.mfl 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\packager.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-UtilityVM-Containers-Shared-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Admin-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ETWCoreUIComponentsResources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\wlanutil.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-ServerCommon-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\appidapi.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\modemui.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\fixmapi.exe.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mountvol.exe 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\shunimpl.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\mispace_uninstall.mof 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\CheckNetIsolation.exe 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\wcncsvc.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\MFC40.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\systemcpl.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0112~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\WF.msc 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\iesetup.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\en-US\vss.mfl 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\whqlprov.mof 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServerClient-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Help-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CredProvHelper.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\LocationApi.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\PlayToDevice.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\rasgcw.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmfn2.inf_amd64_5ebadf201c5b5845\bcmfn2.sys 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\NcaApi.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WinSyncMetastore.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\learning_tools.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\7-Zip\Lang\uk.txt 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-lightunplated.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Xbox.Foundation.Media.winmd 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxManifest.xml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\lpcstrings.json 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\LICENSE.txt 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x64\EmbeddedBrowserWebView.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\manifest.json.DATA 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_OwlEye.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationUI.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Entertainment.winmd 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Extensions\external_extensions.json.DATA 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\196.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.fr.resx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Data.Entity.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.Implementation.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\de-DE\PushToInstall.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\PERFLIB\0410\perfd.dat 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\ksfilter.inf 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-150.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Windows Notify.wav 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.fr.resx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.EnterpriseServices.Wrapper.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\SDFLauncher.inf 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.ja.resx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SbsNclPerf.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.ISECommon.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SrpUxSnapIn.resources\v4.0_10.0.0.0_de_31bf3856ad364e35\SrpUxSnapIn.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Device.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\smallee.fon 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_mediumtrust.config 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\MSBuild.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.VisualBasic.Compatibility.Data.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.ServiceModel.Activities.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\ControlPanel.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech\Common\es-ES\sapisvr.exe.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\net1ic64.inf 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Logs\CBS\CBS.log 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Workflow.Activities.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Microsoft.Build.Utilities.Resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\1033\cscompui.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\CustomMarshalers.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.ja.resx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Principal.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.h 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\85f874.fon 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-400.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Regasm.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Regasm.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\NetworkConnections.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\cscompui.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Messaging.Resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Windows.Forms.DataVisualization.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ServiceModelEvents.dll.mui 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.ComponentModel.Composition.Registration.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.3.0.Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Policy.3.0.Microsoft.BackgroundIntelligentTransfer.Management.config 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\UIAutomationClient.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.IO.Log.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Activities.DurableInstancing.resources.dll 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\NetworkConnections.admx 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\EventLog.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\WordWheel.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\AppxPackageManager.adml 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-100.png 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5233694" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada." SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura - Spanish (Spain)" SearchApp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4040 SearchApp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2744 SearchApp.exe 4040 SearchApp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1224
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2744
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4040
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5573ce27e20449e284b919c487a35526b
SHA146d596989ce94953c94b6d5c5c176af6b3ccf784
SHA2563600f01f77287451e7297d4ea9b454062bf4ef0d17736357e07fe530e7baa1b6
SHA5120afb779e5dc4d97cbfed4df0a26e9302c41ff32ae562bf77fea700a7d9ea461a62d004797278b07a507a624bb18621e1094a514c36a090b68a7151212efe1fcf
-
Filesize
4.4MB
MD576e336ca62749eb4a3e471f170cb3017
SHA12588ef15faa7c05d60fe9bd77a066dfcd47c6722
SHA256675b2b3f3ef7b84bfa272130e1fe70ec52132badb2f21ca771907bb05be494be
SHA5122ae20120e106893dbec0a2c48b86602bdbb2bd928633d59e54e5075ff525404a6ed935215b54fe547f7fa80bc138bfeb051a87c15ab655ff6b5abd0cd45adc14
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize5.8MB
MD5df8314eb0dae6091c41f697729a97af5
SHA13dc5a38593185bd39eb92455ba5da9488990ce6c
SHA256c98b441f54c471e1437fbf5dbc2b59e130af03456048fbea7657d93999560db7
SHA5128db2c7b1b4f51ad0afa982c2e1abad7efd1a208a9e14927ce66288fda58c97f150c5ae0c32f3a06e4f8ba00798ad38e0a343f5a6bcb8413700effe93c9a91e35
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml
Filesize96B
MD5d1fa3bb8936674b1a19634902bdfd5c8
SHA10ac11dd3a241056ea263e2a529558131da75a3bd
SHA256880169ece509a987d4fe7f9f034d9fd302755704371fc2b54aa7b1e0f1f9395e
SHA5122a49cebbbe0e9aff80dbc0f7ecf631054c986964132fc7d2325362d493d5ee50fb518de881f57972e8b6d21beb62c554392b7a06fd015d3f7548d6d71826678c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.csg
Filesize444B
MD55475132f1c603298967f332dc9ffb864
SHA14749174f29f34c7d75979c25f31d79774a49ea46
SHA2560b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA51254433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.schema
Filesize150B
MD51659677c45c49a78f33551da43494005
SHA1ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA2565af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\appsconversions.txt
Filesize863KB
MD5f96bc17471a5a7512f96d1a7e96dc2ec
SHA1dff2604dcf06f7da9566028771f81f3eb117105d
SHA256d7b7ae405896463f8628f1acee505da01c95779aea86f6b63f3a426745030237
SHA51201462aff1f1ca9fbc7a421a826984112cbef1546a41057213d76ad99fbf64ef131eb989fd3ae2bba1fac3c82c1081fd7c23b3b5d331bbe9d484f76d4ec57968d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384547499786.txt
Filesize27KB
MD547a4ff6651a6ebe2afb78d818e46dd8d
SHA1e067066b8517d3c5c307801bb8e7c0f8a5347115
SHA256ac89c0958969e99c2b73a36a3ccc0088452612b3074f15797e278d7cc0380fa4
SHA5125876248e231761f8e1ce00c58f9aa80d3d96270fffc03e2be0d165a1a086dceac2bd1bb3a609efa4ac58197896753b26bc74d3c18186acf8a6959ce5bd8bd046
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384630886023.txt
Filesize14KB
MD5b9a3570135c6cdac61e23a655424bb81
SHA1b25c823b867b820fa34e0d61892c99af1b3db241
SHA256e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA51273f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize12KB
MD5585d59e56728fdeb3389e4fb7cd6bc3b
SHA1bb169c6ec156a09bb60dc354958cd6cb3dd46090
SHA256b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828
SHA512212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize13KB
MD5a700bf85ea76215925e01281cdb77e0a
SHA111f39902e4119d7aab491faadb6e0130de0f7bff
SHA2569f1931f5df753efff55d89290a3c15308127f4973b72b73676e68a7562ed3adc
SHA51274c615a08fce167f2438f70be1fd2a720ae4de7a3809e5483ce0a84eac31990c0950e9acf45051a17852256d56e4c47c2089d3f01b23134c87cdc62338b12327