Malware Analysis Report

2025-06-16 06:23

Sample ID 230912-2grxfsad88
Target a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac

Threat Level: Known bad

The file a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos family

Chaos

Chaos Ransomware

Renames multiple (185) files with added filename extension

Renames multiple (203) files with added filename extension

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-12 22:33

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-12 22:33

Reported

2023-09-12 22:43

Platform

win7-20230831-en

Max time kernel

361s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (203) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqbaequg8.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe

"C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt

Network

N/A

Files

memory/2172-0-0x00000000011E0000-0x000000000128E000-memory.dmp

memory/2172-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 599bd35670c4e89123c6d73c769cb0a8
SHA1 17a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA512 15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

memory/1108-7-0x0000000000F00000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 599bd35670c4e89123c6d73c769cb0a8
SHA1 17a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA512 15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

memory/1108-9-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/2172-8-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/1108-11-0x000000001B040000-0x000000001B0C0000-memory.dmp

C:\Users\Admin\Documents\README.txt

MD5 a827f97d9d0a9a035a0ddaee6834a1ce
SHA1 495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA256 80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA512 9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

memory/1108-451-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\README.txt

MD5 a827f97d9d0a9a035a0ddaee6834a1ce
SHA1 495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA256 80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA512 9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

memory/1108-473-0x000000001B040000-0x000000001B0C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-12 22:33

Reported

2023-09-12 22:51

Platform

win10v2004-20230831-en

Max time kernel

477s

Max time network

585s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (185) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1859779917-101786662-3680946609-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\we2ijj322.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe

"C:\Users\Admin\AppData\Local\Temp\a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 113.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 51.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/1432-0-0x0000000000030000-0x00000000000DE000-memory.dmp

memory/1432-1-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 599bd35670c4e89123c6d73c769cb0a8
SHA1 17a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA512 15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 599bd35670c4e89123c6d73c769cb0a8
SHA1 17a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA512 15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 599bd35670c4e89123c6d73c769cb0a8
SHA1 17a5bd208e4cc88a9d75a6f90293bb6af95e482c
SHA256 a52202b5b613be19e0a74cab486b573916c930e0a8332251fe3bcd6ca5a2a2ac
SHA512 15279721c73d24a1986ccc0659419bb43de84ef9daaadd314ee8577d74a85ba111b6cb5b7af0e2f318de6d75b1d2f4efac7ae7a63f406f377d27201baca60fb5

memory/1432-15-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

memory/3348-14-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp

C:\Users\Admin\Documents\README.txt

MD5 a827f97d9d0a9a035a0ddaee6834a1ce
SHA1 495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA256 80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA512 9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

C:\Users\Admin\AppData\Roaming\README.txt

MD5 a827f97d9d0a9a035a0ddaee6834a1ce
SHA1 495f9592799da2074d5e55c83fcd4f6e060e9b1b
SHA256 80725268e5db7edf8cdab3779fb3f691ed479078f73e11e08263b1ad0d1be86f
SHA512 9fb3ef63191e51d07a8ffb8f88c844558f3ef6221139d64e199aec3ca7e28be50542fa19d037656bc7172d432c9b10d4ae00cc5da21f7084b5680659a3c1dda2

memory/3348-439-0x00007FFE3EA60000-0x00007FFE3F521000-memory.dmp