a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302

Analysis

max time kernel
80s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe
Size

233KB
MD5

37daaa520f6af5098c018b9aef020289
SHA1

ac6cc932e2a4ab13ce6c1b2c47abc59219c24f2e
SHA256

a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302
SHA512

20b63979d3a3e2f6cb335abbdaca6758bdd164b0c892d5e4eb73e4c6ddb885e993230a6a29044ca81f796b087387bc2f391c7fff40d0fe3793403018e7433201
SSDEEP

3072:Yu5XXqsjBp239o6xfwEMo8rcV7+d6t0vQx5yml+5JQXQMAcD47sJk7sgI:D5KsjLOo6Rd8rcV7Os59lQJQXecDq5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2616	lexplorer.exe
5056	lexplorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lexplorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\lexplorer.exe"	lexplorer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lexplorer.exe	lexplorer.exe
File created	C:\Windows\lexplorer.exe	lexplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	lexplorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3632	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
3632	AcroRd32.exe
5056	lexplorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2616	2804	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe	82
PID 2804 wrote to memory of 2616	2804	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe	82
PID 2804 wrote to memory of 3632	2804	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe	83
PID 2804 wrote to memory of 3632	2804	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe	83
PID 2804 wrote to memory of 3632	2804	a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe	83
PID 3632 wrote to memory of 4556	3632	AcroRd32.exe	84
PID 3632 wrote to memory of 4556	3632	AcroRd32.exe	84
PID 3632 wrote to memory of 4556	3632	AcroRd32.exe	84
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 4864	4556	RdrCEF.exe	86
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87
PID 4556 wrote to memory of 3996	4556	RdrCEF.exe	87

C:\Users\Admin\AppData\Local\Temp\a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe
"C:\Users\Admin\AppData\Local\Temp\a3696693f8b5cb27a1709c3676f871b9e4cfe0651a9230cca71cbb9fe2ac2302.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Roaming\lexplorer.exe
  "C:\Users\Admin\AppData\Roaming\lexplorer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  PID:2616
- - C:\Windows\lexplorer.exe
    "C:\Windows\lexplorer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5056
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\newressales.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CAD6376DF09E8E54C6F9FCD21C88436F --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4864
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D56B6A7773261E724A6703764B2B28D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D56B6A7773261E724A6703764B2B28D --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE24A42D4CD576FAB9B6F780B13C179F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE24A42D4CD576FAB9B6F780B13C179F --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1308
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=89F7B6F510645AE3E08520D2CAD44F0F --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=122E782A4EBF2C72BA9CC9D4958A3573 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5112
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=73B6FCD82AD68404AB762A2E96499C49 --mojo-platform-channel-handle=2604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\lexplorer.exe.log

Filesize
588B

MD5
7dec6c3645a13fed59e2e24b91e057a3

SHA1
8e2571f497ac4b9cce1a8d2278498e81babe5b3e

SHA256
416faa96011fc57b378ef7c3a9ac75e2f3d95fe0a2db82a363a2ee198bcccfff

SHA512
876628c49639ef517bbb4393602ff673187af4215182d8d32aa70a03be22f20883b9fe8e895efdda516d58377dd9966c078ddb676a5086432dd448373b7c166f

Download Submit
C:\Users\Admin\AppData\Roaming\lexplorer.exe

Filesize
38KB

MD5
05471246cef5a22ae83ea950b2c398a2

SHA1
b149e671a8b391c44187ba8c9431fe452ce59d76

SHA256
08db71e9d1a6ff320dd4659d25297a00e7f2d0536daff68819340376326289f2

SHA512
6c9dbe8155843d14da113e26af470a70c3b59e0fb65206a6779b65009d75593d6f49f88f34b291d4f042a1febb3b9d931718e344c87274e7fd99fc67023459a1

Download Submit
C:\Users\Admin\AppData\Roaming\lexplorer.exe

Filesize
38KB

MD5
05471246cef5a22ae83ea950b2c398a2

SHA1
b149e671a8b391c44187ba8c9431fe452ce59d76

SHA256
08db71e9d1a6ff320dd4659d25297a00e7f2d0536daff68819340376326289f2

SHA512
6c9dbe8155843d14da113e26af470a70c3b59e0fb65206a6779b65009d75593d6f49f88f34b291d4f042a1febb3b9d931718e344c87274e7fd99fc67023459a1

Download Submit
C:\Users\Admin\AppData\Roaming\newressales.pdf

Filesize
27KB

MD5
10fb39f9bb42f0ea8e142a257ac7ec71

SHA1
8971001e47c46ab08799c90d6fc421bbf33ce0ad

SHA256
1a196dcc428184b5cfc32d79f00a8a3ef7dabce057cb863a706659bbc443ea67

SHA512
56f9f3c0b8fae1f4c33c48aead4080bbebf24ea601a87d83d4938cb551a2c547f228da71b1ddd564c6705caccce2303240886e65c6f319c84c03e23a71b2cbed

Download Submit
C:\Windows\lexplorer.exe

Filesize
38KB

MD5
05471246cef5a22ae83ea950b2c398a2

SHA1
b149e671a8b391c44187ba8c9431fe452ce59d76

SHA256
08db71e9d1a6ff320dd4659d25297a00e7f2d0536daff68819340376326289f2

SHA512
6c9dbe8155843d14da113e26af470a70c3b59e0fb65206a6779b65009d75593d6f49f88f34b291d4f042a1febb3b9d931718e344c87274e7fd99fc67023459a1

Download Submit
C:\Windows\lexplorer.exe

Filesize
38KB

MD5
05471246cef5a22ae83ea950b2c398a2

SHA1
b149e671a8b391c44187ba8c9431fe452ce59d76

SHA256
08db71e9d1a6ff320dd4659d25297a00e7f2d0536daff68819340376326289f2

SHA512
6c9dbe8155843d14da113e26af470a70c3b59e0fb65206a6779b65009d75593d6f49f88f34b291d4f042a1febb3b9d931718e344c87274e7fd99fc67023459a1

Download Submit
memory/2616-136-0x00007FF85F9E0000-0x00007FF860416000-memory.dmp

Filesize
10.2MB

Download
memory/2804-132-0x00007FF85F9E0000-0x00007FF860416000-memory.dmp

Filesize
10.2MB

Download
memory/5056-166-0x00007FF85F9E0000-0x00007FF860416000-memory.dmp

Filesize
10.2MB

Download