File name:	Serverice.Host.local.exe
Full analysis:	https://app.any.run/tasks/af758fc4-1963-424d-b197-da7836c7cd7c
Verdict:	Malicious activity
Threats:	Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	May 25, 2025, 00:08:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware auto-startup crypto-regex chaos
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	D206DD07A32132A06AF8FE1D0F3EEC55
SHA1:	AC3C7DC216A9351905379F612BBE132906020384
SHA256:	1E10C6E0E448B51D612F5363B5B4EDD2D52D3862287388E5172FDF0D3736DC0E
SSDEEP:	3072:vdGVr9j4hCJxtY4sdP6VZn6ZCHGIQZT7TMPD6HCqG:cr98hCJLYiZnCCUZXTMbBq

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:11 21:15:08+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	184320
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x2ef6e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	Optimus.exe
LegalCopyright:
OriginalFileName:	Optimus.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0


(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Boot\Loader.efi
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2088) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
6372	Serverice.Host.local.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:D206DD07A32132A06AF8FE1D0F3EEC55	SHA256:1E10C6E0E448B51D612F5363B5B4EDD2D52D3862287388E5172FDF0D3736DC0E
4208	svchost.exe	C:\Users\admin\Desktop\bushcould.png		text
		MD5:1FF6E9E7DE1ED1B2FA068A90E0F306F2	SHA256:B952C8E92682B74B064328DCCF16F194CD3CBC2AEBF9BAB53DFA6E2D27F541AC
4208	svchost.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url		binary
		MD5:83660DEB1A47E0B191FDA82BDFD61827	SHA256:87089BD6FEDDA43B5E4D738B5BF246BA1B2E5C248B9220F0D1E742B827F30B0D
4208	svchost.exe	C:\Users\admin\Desktop\asslistings.png		text
		MD5:DE7612D7C3DCAF90DAF971C59C4EC5F0	SHA256:23BE875D4AAE8BF4D79CE9553F7D80F0CE7E1A9AB91B371E5D8AACAD7A04BBC0
4208	svchost.exe	C:\Users\admin\Desktop\desktop.ini.a9dj		text
		MD5:BED16A166C443AEBAAFDA85BD6089187	SHA256:B616B70975067E48B0FCAAA6435DFFA0451857D3F798230FE41E9F60AAE5394D
4208	svchost.exe	C:\Users\admin\Desktop\bushcould.png.z8jk		text
		MD5:1FF6E9E7DE1ED1B2FA068A90E0F306F2	SHA256:B952C8E92682B74B064328DCCF16F194CD3CBC2AEBF9BAB53DFA6E2D27F541AC
4208	svchost.exe	C:\Users\admin\Desktop\desktop.ini		text
		MD5:BED16A166C443AEBAAFDA85BD6089187	SHA256:B616B70975067E48B0FCAAA6435DFFA0451857D3F798230FE41E9F60AAE5394D
4208	svchost.exe	C:\Users\admin\Desktop\naturalmountain.jpg		text
		MD5:CDFA74284D9821B2437F0FE81C4873ED	SHA256:CB19F52BFCB1B55CDB9ABE89FC554870434CE360BE70A76D6346D05FEC1E8E70
4208	svchost.exe	C:\Users\admin\Desktop\naturalmountain.jpg.c45r		text
		MD5:CDFA74284D9821B2437F0FE81C4873ED	SHA256:CB19F52BFCB1B55CDB9ABE89FC554870434CE360BE70A76D6346D05FEC1E8E70
4208	svchost.exe	C:\Users\admin\Desktop\parentphentermine.rtf		text
		MD5:567027D4282F9EBB42AE717AC90C7CC9	SHA256:E26938EC52D8CCFDA2BB8BA7C3CE346040053E1DD4E58B76413D79769D4FE57B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5544	SIHClient.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	23.9 Kb	whitelisted
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5544	SIHClient.exe	52.149.20.212:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5544	SIHClient.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5544	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5544	SIHClient.exe	52.165.164.15:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
496	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6544	svchost.exe	20.190.160.131:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.186.78	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.236.22	whitelisted
login.live.com	20.190.160.131 40.126.32.74 20.190.160.22 20.190.160.5 20.190.160.128 20.190.160.64 40.126.32.134 20.190.160.20	whitelisted

General Info

Serverice.Host.local.exe

D206DD07A32132A06AF8FE1D0F3EEC55

AC3C7DC216A9351905379F612BBE132906020384

1E10C6E0E448B51D612F5363B5B4EDD2D52D3862287388E5172FDF0D3736DC0E

3072:vdGVr9j4hCJxtY4sdP6VZn6ZCHGIQZT7TMPD6HCqG:cr98hCJLYiZnCCUZXTMbBq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Renames files like ransomware

RANSOMWARE has been detected

CHAOS has been detected (YARA)

Deletes shadow copies

Using BCDEDIT.EXE to modify recovery options

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts itself from another location

The process creates files with name similar to system file names

Write to the desktop.ini file (may be used to cloak folders)

Found regular expressions for crypto-addresses (YARA)

Starts CMD.EXE for commands execution

Executes as Windows Service

Start notepad (likely ransomware note)

INFO

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Process checks computer location settings

Auto-launch of the file from Startup directory

Reads the machine GUID from the registry

Manual execution by a user

Reads security settings of Internet Explorer

Create files in a temporary directory

Reads the software policy settings

Checks proxy server information

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests