0e86fbf5aa4f23d453805ab455d1ce53cecdf83bbdf142d995cf61290e8caab4

General

Target

chthonic_2.23.11.0.vir.exe
Size

361KB
MD5

a6a625b1840483a2288b7c93991a12ed
SHA1

1845a9543a84ce21532a2a5df5200fdba8db8cea
SHA256

0e86fbf5aa4f23d453805ab455d1ce53cecdf83bbdf142d995cf61290e8caab4
SHA512

9229defc208590b2e0f182d18a68d520f84703b698b098688f6da025e9c3a8328c6916093027805f99e56097ddc1932ddcaab460b5dab4b003fff392858e0dbc

Score

5^/10

persistence

Malware Config

Signatures

Suspicious behavior: LoadsDriver 422 IoCs

Processes:

pid

4
4
4
4
4
612
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4

pid
4
4
4
4
4
612
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exesvchost.exe

description ioc process

File created C:\Windows\INF\netsstpa.PNF svchost.exe
File created C:\Windows\INF\netrasa.PNF svchost.exe

description	ioc	process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Modifies service 2 TTPs 41 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000005c004400650076006900630065005c007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d0000005c004400650076006900630065005c007b00410043004200300042003000300036002d0032004400340035002d0034003500310034002d0042004600310044002d003900430044003300420042004400310036003300420041007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d002200000022007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d002200000022007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d002200000022007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d002200000022007b00410043004200300042003000300036002d0032004400340035002d0034003500310034002d0042004600310044002d003900430044003300420042004400310036003300420041007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Route = 22007b00460042003100330038003300420036002d0046003300340041002d0034004200450038002d0042004300320037002d003200350034004600320033003900320033003200420035007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Export = 5c004400650076006900630065005c00770061006e00610072007000760036005f007b00340033004400430037003400300042002d0039003600310043002d0034003100450043002d0041004400360038002d003200420041004600410041003500350046003600350036007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{E2493170-57C3-4BF3-A19F-F7D9D211606D}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Export = 5c004400650076006900630065005c00770061006e006100720070005f007b00460042003100330038003300420036002d0046003300340041002d0034004200450038002d0042004300320037002d003200350034004600320033003900320033003200420035007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{FB1383B6-F34A-4BE8-BC27-254F239232B5}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{43DC740B-961C-41EC-AD68-2BAFAA55F656}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{E2493170-57C3-4BF3-A19F-F7D9D211606D}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Route = 22007b00340033004400430037003400300042002d0039003600310043002d0034003100450043002d0041004400360038002d003200420041004600410041003500350046003600350036007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{43DC740B-961C-41EC-AD68-2BAFAA55F656}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{E2493170-57C3-4BF3-A19F-F7D9D211606D}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00410043004200300042003000300036002d0032004400340035002d0034003500310034002d0042004600310044002d003900430044003300420042004400310036003300420041007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Bind = 5c004400650076006900630065005c007b00460042003100330038003300420036002d0046003300340041002d0034004200450038002d0042004300320037002d003200350034004600320033003900320033003200420035007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{FB1383B6-F34A-4BE8-BC27-254F239232B5}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{FB1383B6-F34A-4BE8-BC27-254F239232B5}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{FB1383B6-F34A-4BE8-BC27-254F239232B5}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Bind = 5c004400650076006900630065005c007b00340033004400430037003400300042002d0039003600310043002d0034003100450043002d0041004400360038002d003200420041004600410041003500350046003600350036007d0000000000	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\Parameters\MiniportsInstalled = "65535"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d002200000022007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d002200000022007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d002200000022007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d002200000022007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d002200000022007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d002200000022007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{43DC740B-961C-41EC-AD68-2BAFAA55F656}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{43DC740B-961C-41EC-AD68-2BAFAA55F656}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{E2493170-57C3-4BF3-A19F-F7D9D211606D}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00420039003100350038003200430034002d0032004600410035002d0034003500350030002d0039003800300031002d004200380031003000380037003800420030003300450045007d0000005c004400650076006900630065005c007b00420039004200340041003800360032002d0033004400420032002d0034004100340039002d0039003800440037002d004400360045003000460046004200300037004400330032007d0000005c004400650076006900630065005c007b00410036003200460036004500450042002d0041003300330041002d0034003300300044002d0038003800320045002d003900330041003000300039004500410036003700420030007d0000005c004400650076006900630065005c007b00380045003200310046003600340042002d0045004100340043002d0034003200370038002d0038004200430039002d003500430030003400440037004300450039003200350032007d0000000000	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

chthonic_2.23.11.0.vir.exeWerFault.exesvchost.exe

description	pid	process
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: 0	3892	chthonic_2.23.11.0.vir.exe
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe
Token: SeShutdownPrivilege	3156	svchost.exe
Token: SeCreatePagefilePrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe
Token: SeLoadDriverPrivilege	3156	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3804 3892 WerFault.exe chthonic_2.23.11.0.vir.exe

pid	pid_target	process	target process
3804	3892	WerFault.exe	chthonic_2.23.11.0.vir.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.11.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 24716
2⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3804

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TapiSrv
1⤵
PID:3012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:68

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
- Modifies service
PID:3008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:996

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3752

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2116

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1312

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2676

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1648

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3808

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3912

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1184

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1092

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1312

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1756

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1956

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2132

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2480

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2912

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3820

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3324

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2228

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1656

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2264

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2020

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2144

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1532

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2480

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2496

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3764

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1100

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1452

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2728

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2248

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3760

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1892

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:632

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:408

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2820

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3764

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1000

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:492

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3748

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2836

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1784

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2128

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3320

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:68

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2496

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2548

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3744

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2532

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3960

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2176

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1964

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2988

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3884

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\netrasa.PNF

Download Submit
C:\Windows\INF\netsstpa.PNF

Download Submit
memory/3804-0-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download

pid
4
4
4
4
4
612
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4

pid
4
4
4
4
4
612
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads

pid
4
4
4
4
4
612
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4