202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

General

Target

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
Size

604KB
MD5

0eff9e6701cb10ddc66f3d619dae7a36
SHA1

20a506351b97caef312b7f808638623512435c23
SHA256

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685
SHA512

41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Score

10^/10

evasion persistence ransomware suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/29E01CCCDE9BD5E7 2. http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/29E01CCCDE9BD5E7 3. http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/29E01CCCDE9BD5E7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/29E01CCCDE9BD5E7 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/29E01CCCDE9BD5E7 http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/29E01CCCDE9BD5E7 http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/29E01CCCDE9BD5E7 !!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/29E01CCCDE9BD5E7 !!! Your personal identification ID: 29E01CCCDE9BD5E7

URLs

http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/29E01CCCDE9BD5E7

http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/29E01CCCDE9BD5E7

http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/29E01CCCDE9BD5E7

http://fwgrhsao3aoml7ej.onion/29E01CCCDE9BD5E7

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1648 bcdedit.exe
1748 bcdedit.exe
1820 bcdedit.exe
1908 bcdedit.exe
1388 bcdedit.exe

pid	process
1648	bcdedit.exe
1748	bcdedit.exe
1820	bcdedit.exe
1908	bcdedit.exe
1388	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lkadvkc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	lkadvkc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\addon_v57 = "C:\\Users\\Admin\\AppData\\Roaming\\lkadvkc.exe"	lkadvkc.exe

Executes dropped EXE 2 IoCs

Processes:

lkadvkc.exelkadvkc.exe

pid process

1316 lkadvkc.exe
780 lkadvkc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

900 cmd.exe

pid	process
1316	lkadvkc.exe
780	lkadvkc.exe

pid	process
900	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe

pid	process
1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exelkadvkc.exe

description	pid	process	target process
PID 1992 set thread context of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1316 set thread context of 780	1316	lkadvkc.exe	lkadvkc.exe

Drops file in Program Files directory 64 IoCs

Processes:

lkadvkc.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak	lkadvkc.exe
File opened for modification	C:\Program Files\Internet Explorer\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	lkadvkc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	lkadvkc.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-TW.pak	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	lkadvkc.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Services\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.png	lkadvkc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.html	lkadvkc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	lkadvkc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\_H_e_l_p_RECOVER_INSTRUCTIONS+hgi.txt	lkadvkc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	lkadvkc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	lkadvkc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2040 vssadmin.exe

pid	process
2040	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lkadvkc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lkadvkc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lkadvkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lkadvkc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lkadvkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lkadvkc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lkadvkc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lkadvkc.exe

pid	process
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe
780	lkadvkc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exelkadvkc.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
Token: SeDebugPrivilege	780	lkadvkc.exe
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exelkadvkc.exe

pid process

1992 202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
1316 lkadvkc.exe

pid	process
1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
1316	lkadvkc.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exelkadvkc.exelkadvkc.exe

description	pid	process	target process
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1992 wrote to memory of 1180	1992	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
PID 1180 wrote to memory of 1316	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	lkadvkc.exe
PID 1180 wrote to memory of 1316	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	lkadvkc.exe
PID 1180 wrote to memory of 1316	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	lkadvkc.exe
PID 1180 wrote to memory of 1316	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	lkadvkc.exe
PID 1180 wrote to memory of 900	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	cmd.exe
PID 1180 wrote to memory of 900	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	cmd.exe
PID 1180 wrote to memory of 900	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	cmd.exe
PID 1180 wrote to memory of 900	1180	202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe	cmd.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 1316 wrote to memory of 780	1316	lkadvkc.exe	lkadvkc.exe
PID 780 wrote to memory of 1648	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1648	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1648	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1648	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 2040	780	lkadvkc.exe	vssadmin.exe
PID 780 wrote to memory of 2040	780	lkadvkc.exe	vssadmin.exe
PID 780 wrote to memory of 2040	780	lkadvkc.exe	vssadmin.exe
PID 780 wrote to memory of 2040	780	lkadvkc.exe	vssadmin.exe
PID 780 wrote to memory of 1748	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1748	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1748	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1748	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1820	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1820	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1820	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1820	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1908	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1908	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1908	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1908	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1388	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1388	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1388	780	lkadvkc.exe	bcdedit.exe
PID 780 wrote to memory of 1388	780	lkadvkc.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
"C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
  "C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Roaming\lkadvkc.exe
    C:\Users\Admin\AppData\Roaming\lkadvkc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Roaming\lkadvkc.exe
      C:\Users\Admin\AppData\Roaming\lkadvkc.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} bootems off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1648
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2040
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} advancedoptions off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1748
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} optionsedit off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1820
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1908
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} recoveryenabled off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\202AB1~1.EXE
    3⤵
    - Deletes itself
    PID:900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lkadvkc.exe

Filesize
604KB

MD5
0eff9e6701cb10ddc66f3d619dae7a36

SHA1
20a506351b97caef312b7f808638623512435c23

SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Download Submit
C:\Users\Admin\AppData\Roaming\lkadvkc.exe

Filesize
604KB

MD5
0eff9e6701cb10ddc66f3d619dae7a36

SHA1
20a506351b97caef312b7f808638623512435c23

SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Download Submit
C:\Users\Admin\AppData\Roaming\lkadvkc.exe

Filesize
604KB

MD5
0eff9e6701cb10ddc66f3d619dae7a36

SHA1
20a506351b97caef312b7f808638623512435c23

SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Download Submit
\Users\Admin\AppData\Roaming\lkadvkc.exe

Filesize
604KB

MD5
0eff9e6701cb10ddc66f3d619dae7a36

SHA1
20a506351b97caef312b7f808638623512435c23

SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Download Submit
\Users\Admin\AppData\Roaming\lkadvkc.exe

Filesize
604KB

MD5
0eff9e6701cb10ddc66f3d619dae7a36

SHA1
20a506351b97caef312b7f808638623512435c23

SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685

SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01

Download Submit
memory/780-103-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/780-97-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/780-96-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/780-92-0x0000000000458C46-mapping.dmp

Download
memory/900-78-0x0000000000000000-mapping.dmp

Download
memory/1180-64-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-59-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-72-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-67-0x0000000000458C46-mapping.dmp

Download
memory/1180-66-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-71-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-79-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-63-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-61-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1316-75-0x0000000000000000-mapping.dmp

Download
memory/1388-104-0x0000000000000000-mapping.dmp

Download
memory/1648-98-0x0000000000000000-mapping.dmp

Download
memory/1748-100-0x0000000000000000-mapping.dmp

Download
memory/1820-101-0x0000000000000000-mapping.dmp

Download
memory/1908-102-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/1992-69-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1992-55-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/2040-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads