abc01dfd22cde317bf46d71d775e0c598bad2ccc10931b2bf9effac279cd35fb

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
Size

14.1MB
MD5

e046d608635671266df82597d302bea9
SHA1

7b834a66b401d2571d0cace5b06505251c21d7ba
SHA256

abc01dfd22cde317bf46d71d775e0c598bad2ccc10931b2bf9effac279cd35fb
SHA512

f8c6c60be53c8ce08cc465254d61834087414bd553f6f2d9ae512701a5314bf4aea2a358878d1e2fcd4145320379a2b8e069b9b8e7c44ad138706fe77cf42a12
SSDEEP

393216:oGdv6nS4hFG6qSIPf1HHDBgDy98POpILqlkXmxwUZWs:oYKI31HHDBgDy98POpILqlkXmxwUZWs

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 21 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4048	netsh.exe
2144	netsh.exe
3304	netsh.exe
1580	netsh.exe
2128	netsh.exe
1272	netsh.exe
1584	netsh.exe
4436	netsh.exe
2008	netsh.exe
876	netsh.exe
3984	netsh.exe
3632	netsh.exe
3300	netsh.exe
1604	netsh.exe
388	netsh.exe
2188	netsh.exe
4920	netsh.exe
2016	netsh.exe
4988	netsh.exe
1800	netsh.exe
3608	netsh.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LTService\ImagePath = "\"C:\\Windows\\LTSvc\\LTSVC.exe\" -sLTService"	installutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LTSvcMon\ImagePath = "\"C:\\Windows\\LTsvc\\LTSvcMon.exe\""	installutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe

Executes dropped EXE 3 IoCs

pid	Process
952	LTSVC.exe
2536	LTSvcMon.exe
4316	LTTray.exe

Loads dropped DLL 2 IoCs

pid	Process
952	LTSVC.exe
3516	regsvr32.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	LTSVC.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	LTSVC.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
3620	BCDedit.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
2340	CMD.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_96A577BD0C99F3E5EAD306A7437C80A3	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_96A577BD0C99F3E5EAD306A7437C80A3	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6	LTSVC.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\installutil.exe.log	installutil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	LTSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F	LTSVC.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\LTsvc\Interfaces.dll	LTSVC.exe
File created	C:\Windows\LTsvc\wodVPN64.dll	LTSVC.exe
File created	C:\Windows\LTsvc\SCHook.dll	LTSVC.exe
File created	C:\Windows\LTsvc\cad.exe	LTSVC.exe
File created	C:\Windows\LTsvc\LSR.exe	LTSVC.exe
File created	C:\Windows\LTSvc\LTTray.exe	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
File opened for modification	C:\Windows\LTsvc\LTErrors.txt	LTSVC.exe
File created	C:\Windows\LTsvc\noshadow	LTSVC.exe
File created	C:\Windows\LTsvc\LTSvcMon.InstallState	installutil.exe
File opened for modification	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File opened for modification	C:\Windows\LTsvc\LTSvcMon.InstallLog	installutil.exe
File created	C:\Windows\LTsvc\LocationEdf.ini	LTSVC.exe
File created	C:\Windows\LTSvc\LTSVC.InstallState	installutil.exe
File created	C:\Windows\LTsvc\LTTray.exe	LTSVC.exe
File created	C:\Windows\LTsvc\tvnserver.exe	LTSVC.exe
File created	C:\Windows\LTsvc\vnchooks.dll	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.ini	LTSVC.exe
File created	C:\Windows\LTsvc\ClientEdf.ini	LTSVC.exe
File created	C:\Windows\LTsvc\TempalteProperties.ini	LTSVC.exe
File created	C:\Windows\LTSvc\LabTech.ico	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
File created	C:\Windows\LTSvc\LTSVC.exe	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
File created	C:\Windows\LTsvc\screenhooks32.dll	LTSVC.exe
File opened for modification	C:\Windows\assembly	LTSVC.exe
File created	C:\Windows\LTsvc\cpuidsdk64.dll	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.exe	LTSVC.exe
File opened for modification	C:\Windows\LTSvc\LTSVCMon.txt	LTSvcMon.exe
File created	C:\Windows\LTSvc\Interfaces.dll	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
File created	C:\Windows\LTsvc\PS.exe	LTSVC.exe
File created	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	LTSVC.exe
File created	C:\Windows\LTsvc\ComputerEdf.ini	LTSVC.exe
File created	C:\Windows\LTsvc\screenhooks.dll	LTSVC.exe
File created	C:\Windows\LTsvc\LTSvcMon.exe	LTSVC.exe
File created	C:\Windows\assembly\Desktop.ini	LTSVC.exe
File opened for modification	C:\Windows\LTSvc\LTSVC.InstallLog	installutil.exe
File created	C:\Windows\LTsvc\sas.dll	LTSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.InstallLog	installutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\PsExec	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsKill	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\C	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsKill\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\C\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\C	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\PsExec\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\C\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	LTSVC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3607E98A-C816-486C-AEC9-A64C8FDEAB6D}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\ = "IVPNChannels"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNRelay.1\CLSID\ = "{3C198C98-0E27-40E4-972C-FDC656EC30D7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\ProgID\ = "WeOnlyDo.VPNRelays.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNMediator.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterfaces\CLSID\ = "{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\ = "IVPNInterface"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CF1E24C-A9B6-45AF-8AED-13888061FB87}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4060697F-931D-4D71-8864-D47557560740}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\ = "VPNChannels Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUser\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8218469-6598-4D1A-83A4-7759F3740236}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.wodVPNCom\ = "wodVPNCom Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUser.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers\CLSID\ = "{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\ProgID\ = "WeOnlyDo.VPNInterface.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\ = "IVPNMediator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers.1\CLSID\ = "{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\VersionIndependentProgID\ = "WeOnlyDo.VPNUsers"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8218469-6598-4D1A-83A4-7759F3740236}\ = "IwodVPNCom"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.wodVPNCom.1\CLSID\ = "{459C65ED-AA9C-4CF1-9A24-7685505F919A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3607E98A-C816-486C-AEC9-A64C8FDEAB6D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4060697F-931D-4D71-8864-D47557560740}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannel.1\CLSID\ = "{15DD3BF6-5A11-4407-8399-A19AC10C65D0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterfaces.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.wodVPNCom\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.wodVPNCom.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannel.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\ProgID	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	LTSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	LTSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	LTSVC.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
952	LTSVC.exe
952	LTSVC.exe
952	LTSVC.exe
952	LTSVC.exe
4316	LTTray.exe
4316	LTTray.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	LTSVC.exe
Token: SeDebugPrivilege	2536	LTSvcMon.exe
Token: 33	2536	LTSvcMon.exe
Token: SeIncBasePriorityPrivilege	2536	LTSvcMon.exe
Token: 33	2536	LTSvcMon.exe
Token: SeIncBasePriorityPrivilege	2536	LTSvcMon.exe
Token: SeDebugPrivilege	4316	LTTray.exe
Token: 33	4316	LTTray.exe
Token: SeIncBasePriorityPrivilege	4316	LTTray.exe
Token: 33	4316	LTTray.exe
Token: SeIncBasePriorityPrivilege	4316	LTTray.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4316	LTTray.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4316	LTTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2540	3980	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe	96
PID 3980 wrote to memory of 2540	3980	2024-04-20_e046d608635671266df82597d302bea9_mafia.exe	96
PID 952 wrote to memory of 3516	952	LTSVC.exe	100
PID 952 wrote to memory of 3516	952	LTSVC.exe	100
PID 952 wrote to memory of 960	952	LTSVC.exe	101
PID 952 wrote to memory of 960	952	LTSVC.exe	101
PID 952 wrote to memory of 3084	952	LTSVC.exe	103
PID 952 wrote to memory of 3084	952	LTSVC.exe	103
PID 3084 wrote to memory of 2144	3084	CMD.exe	105
PID 3084 wrote to memory of 2144	3084	CMD.exe	105
PID 952 wrote to memory of 1396	952	LTSVC.exe	106
PID 952 wrote to memory of 1396	952	LTSVC.exe	106
PID 1396 wrote to memory of 3304	1396	CMD.exe	108
PID 1396 wrote to memory of 3304	1396	CMD.exe	108
PID 952 wrote to memory of 1216	952	LTSVC.exe	109
PID 952 wrote to memory of 1216	952	LTSVC.exe	109
PID 1216 wrote to memory of 3984	1216	CMD.exe	111
PID 1216 wrote to memory of 3984	1216	CMD.exe	111
PID 952 wrote to memory of 3720	952	LTSVC.exe	113
PID 952 wrote to memory of 3720	952	LTSVC.exe	113
PID 3720 wrote to memory of 1580	3720	CMD.exe	115
PID 3720 wrote to memory of 1580	3720	CMD.exe	115
PID 952 wrote to memory of 2668	952	LTSVC.exe	116
PID 952 wrote to memory of 2668	952	LTSVC.exe	116
PID 2668 wrote to memory of 2188	2668	CMD.exe	118
PID 2668 wrote to memory of 2188	2668	CMD.exe	118
PID 952 wrote to memory of 668	952	LTSVC.exe	119
PID 952 wrote to memory of 668	952	LTSVC.exe	119
PID 668 wrote to memory of 4920	668	CMD.exe	121
PID 668 wrote to memory of 4920	668	CMD.exe	121
PID 952 wrote to memory of 860	952	LTSVC.exe	122
PID 952 wrote to memory of 860	952	LTSVC.exe	122
PID 860 wrote to memory of 4436	860	CMD.exe	124
PID 860 wrote to memory of 4436	860	CMD.exe	124
PID 952 wrote to memory of 3536	952	LTSVC.exe	125
PID 952 wrote to memory of 3536	952	LTSVC.exe	125
PID 3536 wrote to memory of 2016	3536	CMD.exe	127
PID 3536 wrote to memory of 2016	3536	CMD.exe	127
PID 952 wrote to memory of 2340	952	LTSVC.exe	128
PID 952 wrote to memory of 2340	952	LTSVC.exe	128
PID 2340 wrote to memory of 2128	2340	CMD.exe	130
PID 2340 wrote to memory of 2128	2340	CMD.exe	130
PID 952 wrote to memory of 4184	952	LTSVC.exe	131
PID 952 wrote to memory of 4184	952	LTSVC.exe	131
PID 4184 wrote to memory of 1272	4184	CMD.exe	133
PID 4184 wrote to memory of 1272	4184	CMD.exe	133
PID 952 wrote to memory of 3716	952	LTSVC.exe	134
PID 952 wrote to memory of 3716	952	LTSVC.exe	134
PID 3716 wrote to memory of 4988	3716	CMD.exe	136
PID 3716 wrote to memory of 4988	3716	CMD.exe	136
PID 952 wrote to memory of 4840	952	LTSVC.exe	137
PID 952 wrote to memory of 4840	952	LTSVC.exe	137
PID 4840 wrote to memory of 1800	4840	CMD.exe	139
PID 4840 wrote to memory of 1800	4840	CMD.exe	139
PID 952 wrote to memory of 2164	952	LTSVC.exe	140
PID 952 wrote to memory of 2164	952	LTSVC.exe	140
PID 2164 wrote to memory of 1584	2164	CMD.exe	142
PID 2164 wrote to memory of 1584	2164	CMD.exe	142
PID 952 wrote to memory of 3520	952	LTSVC.exe	143
PID 952 wrote to memory of 3520	952	LTSVC.exe	143
PID 3520 wrote to memory of 3608	3520	CMD.exe	145
PID 3520 wrote to memory of 3608	3520	CMD.exe	145
PID 952 wrote to memory of 4068	952	LTSVC.exe	146
PID 952 wrote to memory of 4068	952	LTSVC.exe	146

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3"	LTSVC.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e046d608635671266df82597d302bea9_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e046d608635671266df82597d302bea9_mafia.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /name=LTService /account=localsystem C:\Windows\LTSvc\LTSVC.exe
  2⤵
  - Sets service image path in registry
  - Drops file in Windows directory
  PID:2540

C:\Windows\LTSvc\LTSVC.exe
"C:\Windows\LTSvc\LTSVC.exe" -sLTService
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:952
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\LTsvc\wodVPN.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:3516
- C:\Windows\system32\Net1.exe
  "Net1.exe" Stop PSEXESVC
  2⤵
  PID:960
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
    3⤵
    - Modifies Windows Firewall
    PID:2144
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Local VNC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Local VNC"
    3⤵
    - Modifies Windows Firewall
    PID:3304
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Local Redir"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Local Redir"
    3⤵
    - Modifies Windows Firewall
    PID:3984
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
    3⤵
    - Modifies Windows Firewall
    PID:1580
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Tunnel"
    3⤵
    - Modifies Windows Firewall
    PID:2188
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentService"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentService"
    3⤵
    - Modifies Windows Firewall
    PID:4920
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentMonitor"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentMonitor"
    3⤵
    - Modifies Windows Firewall
    PID:4436
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentTray"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentTray"
    3⤵
    - Modifies Windows Firewall
    PID:2016
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
    3⤵
    - Modifies Windows Firewall
    PID:2128
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1272
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4988
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1800
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1584
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:3608
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
  2⤵
  PID:4068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:3632
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentService" dir=in action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
  2⤵
  PID:2876
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentService" dir=in action=allow program="C:\Windows\LTsvc\LTSVC.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1604
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentService" dir=out action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
  2⤵
  PID:1564
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentService" dir=out action=allow program="C:\Windows\LTsvc\LTSVC.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4048
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
  2⤵
  PID:3752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="C:\Windows\LTsvc\LTSVCmon.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:388
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
  2⤵
  PID:680
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="C:\Windows\LTsvc\LTSVCmon.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2008
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentTray" dir=in action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
  2⤵
  PID:3164
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentTray" dir=in action=allow program="C:\Windows\LTsvc\LTTray.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:876
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentTray" dir=out action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
  2⤵
  PID:2340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentTray" dir=out action=allow program="C:\Windows\LTsvc\LTTray.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3300
- C:\Windows\System32\CMD.exe
  "C:\Windows\System32\CMD.exe" /c netsh interface ipv4 set interface "Loopback Pseudo-Interface 1" mtu=1450 store=persistent
  2⤵
  PID:2020
- - C:\Windows\System32\netsh.exe
    netsh interface ipv4 set interface "Loopback Pseudo-Interface 1" mtu=1450 store=persistent
    3⤵
    PID:1464
- C:\Windows\System32\CMD.exe
  "C:\Windows\System32\CMD.exe" /c netsh interface ipv4 set subinterface "Loopback Pseudo-Interface 1" mtu=1450 store=persistent
  2⤵
  PID:4560
- - C:\Windows\System32\netsh.exe
    netsh interface ipv4 set subinterface "Loopback Pseudo-Interface 1" mtu=1450 store=persistent
    3⤵
    PID:1064
- C:\Windows\System32\CACLS.exe
  "C:\Windows\System32\CACLS.exe" C:\Windows\Temp /E /G Everyone:F
  2⤵
  PID:4896
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /i C:\Windows\LTsvc\LTSvcMon.exe
  2⤵
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1580
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c NET Start LTSvcMon
  2⤵
  PID:4436
- - C:\Windows\system32\net.exe
    NET Start LTSvcMon
    3⤵
    PID:4548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 Start LTSvcMon
      4⤵
      PID:5104
- C:\Windows\system32\BCDedit.exe
  "C:\Windows\system32\BCDedit.exe" /deletevalue SAFEBOOT
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3620
- C:\Windows\LTsvc\LTTray.exe
  C:\Windows\LTsvc\LTTray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4316

C:\Windows\LTsvc\LTSvcMon.exe
"C:\Windows\LTsvc\LTSvcMon.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LTSvc\Interfaces.dll

Filesize
39KB

MD5
e0c1dd438ff2cb07b0ffbdcc9c0a4a9f

SHA1
2eb655b59faed124912ea5cf138f09c0b95fd397

SHA256
794b5412fb314f55f2ceab8d68397f1e69cc188b96ff95f433fe9a29e23d8367

SHA512
f4c200684125712b45bd58fedcb153f9d8da1e294ccaf10a0ee40a9d4b3f962ea975b86f8a9f3459fecad3b0cf0d78a1c3be2af0fd9dc901d8d3e07b993a95ff

Download Submit
C:\Windows\LTSvc\LTSVC.InstallLog

Filesize
622B

MD5
8188d27e23bbdbee67be2b5126885e75

SHA1
9f22be482135eb0ed55375076026bfa898db2e35

SHA256
20939988afe3ead0d605004ced365dd6c467cc9303f8d76185124202cc06e03a

SHA512
929b53c5172ef9659d794e0adf7d6561fd7ec022dcf86327515d91df292667ee237ce8d8618cb05a22f47e65107b35deebd3ddcebe2fc40d39bc79cd233f688b

Download Submit
C:\Windows\LTSvc\LTSVC.exe

Filesize
12.6MB

MD5
d5951c45623e8c49947b77a4455aa84b

SHA1
53feaefb880b9f2fa1e1948383375cc5a13ad8db

SHA256
e4016fbb797695ef5362b1f47ec9f22b65e4cf73f8607c635c0ef70618102dbc

SHA512
e51629710e1f3b5159c34083160fc89ce5a1152ceb7d803b98eabd0752edf351dbe5b5b76d78396da04ed1af0bde6f7ba34bc3d88163fa8c745579910259ce8e

Download Submit
C:\Windows\LTSvc\LabTech.ico

Filesize
4KB

MD5
948e76e7cdd8f42ac690e58c43a57637

SHA1
65910780696bf88da2e2e2ff4e0ba4a6e6435fb0

SHA256
203f400397d14082253054263a975912236f861e7760fa4163f3517a03aff25b

SHA512
1d6e061adbade538b8b2b74e113c7de922641e64f5cd11ecc10443bedff7ff011bfa60cf439c0d5ce084a6a904a48a98886e4d9c469086bfd4b7e1865762879c

Download Submit
C:\Windows\LTSvc\labvnc.ini

Filesize
954B

MD5
c93c4ce76f9f0f0911c41c2f05224b8b

SHA1
6abc13d27ce8d8b48ee5c8912737b5f260e9ab02

SHA256
23427980230e99d25e0792a78d6d7b4679b40f11dce923a79f1c96f343112d7a

SHA512
755f7ee559fe9a71ab602752bb442a61138eb914af7c7d30f6c21e42605019b32e196b25750eb24cff0c07f513cf1607434837a0f0d0d37f21e3517c92c01bd8

Download Submit
C:\Windows\LTSvc\wodVPN.dll

Filesize
529KB

MD5
0332e999d5721ee124f9db0204af9dc5

SHA1
85e8312b70d48ac3e8e2337c73272fc190495951

SHA256
6174675702e3d4ef5838d1b6730e1f14dbad55c55543fa0cfebf9813f8fdfc38

SHA512
b2860fe73c7950ece09b8e50766c6465e0dea256c7228d452f5d3ad33bee0b88b13ed2304bdfc300f96676083e37e2564364a2c40f823c1c15227876741fa5e3

Download Submit
C:\Windows\LTsvc\LTSvcMon.exe

Filesize
95KB

MD5
de94e6f316f27506e7d222dcc50e670d

SHA1
9d82b45c9d44b4edacd9ca133b4cd72e17d0f76c

SHA256
8fd4f09f6e7325e25bb9e035a25132bfa2b79298083149ced68c97ebd6075318

SHA512
7db2feb372b9c8b7287a5fc9af18127560f56333da366a27a17c7f37f60c283fc5a59a640211d3a6f5dbefc680389c17f0bbd2290726bbc789c443d09de774c1

Download Submit
C:\Windows\LTsvc\LTTray.exe

Filesize
1.2MB

MD5
19092716209f57d31d25cc74e8ef7a6e

SHA1
2c99dea0b7f681a93a3acd8e47f76ae9d64be80b

SHA256
515699aa72455ae723a6684f19923bfcf30f1141f15508e25dcee5ef8b215bcb

SHA512
46c90ce9ccbd744a9d0047384f6613be7f01c834874b65c84c58a45369603feb8a8ede6be7ceddf7d9cb9919c545827e030ed6104ee89155a9af5ac483fa01f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_96A577BD0C99F3E5EAD306A7437C80A3

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
memory/952-82-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/952-122-0x000000001E2D0000-0x000000001E332000-memory.dmp

Filesize
392KB

Download
memory/952-207-0x000000001EAD0000-0x000000001EB26000-memory.dmp

Filesize
344KB

Download
memory/952-193-0x000000001ECA0000-0x000000001EDDE000-memory.dmp

Filesize
1.2MB

Download
memory/952-144-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-141-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-140-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/952-91-0x000000001D780000-0x000000001DC8E000-memory.dmp

Filesize
5.1MB

Download
memory/952-88-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-86-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-179-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-80-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/952-107-0x000000001BDC0000-0x000000001BDD4000-memory.dmp

Filesize
80KB

Download
memory/952-81-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/952-85-0x000000001C0D0000-0x000000001C11C000-memory.dmp

Filesize
304KB

Download
memory/1580-147-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/1580-177-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/1580-149-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/1580-148-0x00000000019E0000-0x00000000019F0000-memory.dmp

Filesize
64KB

Download
memory/1580-146-0x000000001B180000-0x000000001B19C000-memory.dmp

Filesize
112KB

Download
memory/2536-182-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/2536-180-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/2536-235-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/2536-234-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/2536-183-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/2540-73-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/2540-55-0x000000001CA40000-0x000000001CADC000-memory.dmp

Filesize
624KB

Download
memory/2540-53-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/2540-42-0x000000001C250000-0x000000001C274000-memory.dmp

Filesize
144KB

Download
memory/2540-39-0x000000001CDF0000-0x000000001DA92000-memory.dmp

Filesize
12.6MB

Download
memory/2540-38-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/2540-37-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/2540-33-0x0000000000D20000-0x0000000000D38000-memory.dmp

Filesize
96KB

Download
memory/3980-4-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/3980-1-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/3980-0-0x000000001CE10000-0x000000001D11E000-memory.dmp

Filesize
3.1MB

Download
memory/3980-6-0x000000001CD50000-0x000000001CDF6000-memory.dmp

Filesize
664KB

Download
memory/3980-116-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/3980-34-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/3980-35-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3980-5-0x000000001D9F0000-0x000000001DEBE000-memory.dmp

Filesize
4.8MB

Download
memory/3980-3-0x0000000002660000-0x0000000002680000-memory.dmp

Filesize
128KB

Download
memory/3980-2-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/4316-219-0x000000001B410000-0x000000001B418000-memory.dmp

Filesize
32KB

Download
memory/4316-222-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4316-224-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4316-196-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-195-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4316-194-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-236-0x00007FFA27B30000-0x00007FFA284D1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-237-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4316-238-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/4316-239-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download