File name:	f0b4cc9ca7207386fa06793a0fd2dd2b2d5a0ee019af0a7afbeb5b1665af4271
Full analysis:	https://app.any.run/tasks/7dae219d-068e-4a9a-946e-9e323e62ceb4
Verdict:	Malicious activity
Threats:	Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 13:22:03
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	crypto-regex chaos ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	D3C77A381D509DB6785A4D23B15D79D5
SHA1:	1B8031147C9084068A013A7230B2ADEDF8A03FEF
SHA256:	F0B4CC9CA7207386FA06793A0FD2DD2B2D5A0EE019AF0A7AFBEB5B1665AF4271
SSDEEP:	24576:3qQl+ulA8Msy1byaVJW9uyb/is+9qi/8EnTx4tTlR:3qa+uBy1bHVJomsMqqfFKx

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:10:02 12:26:45+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	2489856
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x261d8e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	goliath.exe
LegalCopyright:
OriginalFileName:	goliath.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0


(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Boot\Loader.efi
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6512) bcdedit.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
8084	f0b4cc9ca7207386fa06793a0fd2dd2b2d5a0ee019af0a7afbeb5b1665af4271.exe	C:\Users\admin\AppData\Roaming\windowsdefender.exe		executable
		MD5:D3C77A381D509DB6785A4D23B15D79D5	SHA256:F0B4CC9CA7207386FA06793A0FD2DD2B2D5A0EE019AF0A7AFBEB5B1665AF4271
7784	windowsdefender.exe	C:\Users\admin\Desktop\bushauthority.png		text
		MD5:CCE29769EAD6083B4B2ECAE05EB4ED97	SHA256:C5FCC6315ACFD3FD25446A8A1FDA8A514BE934272AEFDC57B8326CD11BD53144
7784	windowsdefender.exe	C:\Users\admin\Desktop\bruh.txt		text
		MD5:77718D329C0A749558FA94D4F6573036	SHA256:E299AC3129C2DC99599080423BA6E68C3BC372B58CBA6319E326F6E9266D22F1
7784	windowsdefender.exe	C:\Users\admin\Desktop\certificateaz.rtf.yg30		text
		MD5:356177DDE2DFAC9989B7F20E042BDA64	SHA256:6A8A48D55B85E850B10EBB7616A49FC8A6FA6A80F2F356B7466E8A19B3F25881
7784	windowsdefender.exe	C:\Users\admin\Desktop\nakedprev.rtf.7zb0		text
		MD5:7B88EA2956165BBE386877F03FD1C0A8	SHA256:BEF513D3A6437859EE27556FD47AB0C70B44E410C04E5C4D65FCE9B32E6FAE8F
7784	windowsdefender.exe	C:\Users\admin\Desktop\desktop.ini.og5t		text
		MD5:9D7AE004657EF7C0E2449A8D7DAAC70C	SHA256:C88DA71BB57291FE0DF1A2C663D7258304E55B45A4EC0D9E26E1B495C545D017
7784	windowsdefender.exe	C:\Users\admin\Desktop\f0b4cc9ca7207386fa06793a0fd2dd2b2d5a0ee019af0a7afbeb5b1665af4271.exe		text
		MD5:24EB1ECE66886D6F4EABEC7F546E30B5	SHA256:FAC3883FF33474653E8A851596B7EFAB593A4AF5C28385CB3568FF205D1CC782
7784	windowsdefender.exe	C:\Users\admin\Desktop\changesmonitoring.png.9ocs		text
		MD5:F7F27171D02D5F78210C688399B710AB	SHA256:FAB17ED0A3FB9F8E20B346559FD3A643272A2A35D92D29A0C5BA45208D077DD9
7784	windowsdefender.exe	C:\Users\admin\Desktop\changesmonitoring.png		text
		MD5:F7F27171D02D5F78210C688399B710AB	SHA256:FAB17ED0A3FB9F8E20B346559FD3A643272A2A35D92D29A0C5BA45208D077DD9
7784	windowsdefender.exe	C:\Users\admin\Desktop\nakedprev.rtf		text
		MD5:7B88EA2956165BBE386877F03FD1C0A8	SHA256:BEF513D3A6437859EE27556FD47AB0C70B44E410C04E5C4D65FCE9B32E6FAE8F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.159:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7472	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7472	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.159:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7472	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7472	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7472	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7292	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
crl.microsoft.com	23.48.23.159 23.48.23.164 23.48.23.161 23.48.23.150 23.48.23.158 23.48.23.156 23.48.23.162 23.48.23.145 23.48.23.166	whitelisted
google.com	142.250.186.110	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.243.31	whitelisted
login.live.com	40.126.32.68 20.190.160.2 20.190.160.5 40.126.32.76 20.190.160.67 40.126.32.140 20.190.160.20 20.190.160.3	whitelisted

General Info

f0b4cc9ca7207386fa06793a0fd2dd2b2d5a0ee019af0a7afbeb5b1665af4271

D3C77A381D509DB6785A4D23B15D79D5

1B8031147C9084068A013A7230B2ADEDF8A03FEF

F0B4CC9CA7207386FA06793A0FD2DD2B2D5A0EE019AF0A7AFBEB5B1665AF4271

24576:3qQl+ulA8Msy1byaVJW9uyb/is+9qi/8EnTx4tTlR:3qa+uBy1bHVJomsMqqfFKx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Renames files like ransomware

CHAOS has been detected (YARA)

RANSOMWARE has been detected

Deletes shadow copies

Using BCDEDIT.EXE to modify recovery options

SUSPICIOUS

Found regular expressions for crypto-addresses (YARA)

Reads the date of Windows installation

Starts itself from another location

Write to the desktop.ini file (may be used to cloak folders)

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executes as Windows Service

Start notepad (likely ransomware note)

INFO

Reads the computer name

Checks proxy server information

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Process checks computer location settings

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings