99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98

Analysis

max time kernel
103s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
Size

719KB
MD5

3e063dc0de937df5841cb9c2ff3e4651
SHA1

e683bfaeb1a695ff9ef1759cf1944fa3bb3b6948
SHA256

99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98
SHA512

9a0d0c04b95bbf8c73beb398cc72fa8e9dc87e3149e8c2f43b05fca4ef8e4410c1d65ed11e50b01d24719ce6a8996448944ab56601ef65116614a17f2e10d23f
SSDEEP

12288:aKRHZl7Lup6ySk3QYktDNYlg2317DJtY7wdD30qoifK/Ke5ABa4QP9+NrMke03f9:aKslHY7wdD30qnfsKxB+ZKX55WsSuFrl

Score

10^/10

credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\readme.txt

Ransom Note

--= No news is a good news ! =-- Your network has been breached and all your files Personal data, financial reports and important documents has been stolen , encrypted and ready to publish to public, if you willing to continue your bussines and make more money and keep bussines secret safe you need to restore your files first, And to restore all your files you have to pay the ransom in Bitcoin. don't bother your self and wast your time or make it more harder on your bussines , we developed a locker that can't be decrypted using third part decrypters . making your self geek and trying to restore the files with third part decrypter this will leads to lose all your date ! and then the even you pay the ransom can't help you to restore your files even us. to chat with us : 1 - Download tor browser https://www.torproject.org/download/ 2 - go to one of these links above http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion 3 - you will be asked for your ticket id to enter the chat this for you : TICKET ID 6994669932656897989 usefull links : #OUR TOR BLOG : http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion

URLs

http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion

http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion

http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion

http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion

http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion

http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion

http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion

Signatures

Renames multiple (8959) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RemoveStop.3g2	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-black.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-125_contrast-white.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Trust Protection Lists\Mu\TransparentAdvertisers.DATA	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-200.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe81b.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\ui-strings.js	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\LogoBeta.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppIcon.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-150.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-high.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\gd.pak.DATA	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Fingerprinting.DATA	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-white.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-100_contrast-black.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\vi.pak	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-256.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-200.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.scale-200.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-150.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\FM20ENU.DLL	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ar.pak	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-300.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot_2x.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\README.txt	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-100.png	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-18_3e063dc0de937df5841cb9c2ff3e4651_avoslocker_cobalt-strike_luca-stealer.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\readme.txt

Filesize
1KB

MD5
fdb3ebd9bc1237354dec30a2de9a78ce

SHA1
255ec3c63ee80545d31d302ea348024c522863f5

SHA256
794b3bf63d9ced141ba41a710697230da41b7e75c341d549a3b3359955b7fe6f

SHA512
ae9600b98a0b1450dc5c0d9a94281104f04770bc758d40270b7a7b4e5b7f5406d36c290676ec59b0d9c43b2d99ab876c8a4fe302e746aa15bf2dd14ade1f6fd7

Download Submit