File name:	2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif
Full analysis:	https://app.any.run/tasks/a72ce5e5-ed86-4ad8-bb2b-9ece66e6798b
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 14:12:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	floxif backdoor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	F1DE9684445BCD6A9B7CB7924DC6EB86
SHA1:	F584E2687B8D1D11637925BF3181F31A4D78BD91
SHA256:	60D6BDAE3FF796A056B64D471E23B12684EACAC45883C8B9F5A16651912C27AC
SSDEEP:	98304:589z40zmPxjYrQkVdev+qK73JyBhcX9psmHVsAAA48dcSisdcSiAAA93yrpdAAAE:yQEG

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2015:04:09 07:47:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	2512896
InitializedDataSize:	2528768
UninitializedDataSize:	-
EntryPoint:	0x1d1201
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	35.0.61.54677
ProductVersionNumber:	35.0.61.54677
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	HP Printer Assistant
OriginalFileName:	HPUDCApp.exe
InternalName:	HP Printer Assistant
CompanyName:	Hewlett-Packard Development Company, LP
LegalCopyright:	Copyright (C) Hewlett-Packard Co. 2014
LegalTrademarks:	-
FileDescription:	HP Printer Assistant
FileVersion:	35.0.61.54677
ProductName:	HP Digital Imaging
ProductVersion:	035.000.061.54677
ProductFamily:	HP Digital Imaging
ProductFileFlags:	1


(PID) Process:	(1052) 2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1052) 2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1052) 2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1052	2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif.exe	C:\Users\admin\AppData\Local\Temp\conres.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
4120	SIHClient.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.5:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4040	backgroundTaskHost.exe	20.31.169.57:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4120	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4120	SIHClient.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4120	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4120	SIHClient.exe	52.165.164.15:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
client.wns.windows.com	40.113.110.67 40.113.103.199	whitelisted
login.live.com	20.190.160.5 20.190.160.67 40.126.32.72 20.190.160.128 20.190.160.66 40.126.32.134 20.190.160.64 20.190.160.14 40.126.31.71 20.190.159.2 20.190.159.23 20.190.159.0 20.190.159.75 40.126.31.73 20.190.159.128 20.190.159.130	whitelisted
arc.msn.com	20.31.169.57	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.166 23.48.23.164 23.48.23.180 23.48.23.143 23.48.23.194 23.48.23.176 23.48.23.145	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted

General Info

2025-03-24_f1de9684445bcd6a9b7cb7924dc6eb86_bkransomware_floxif

F1DE9684445BCD6A9B7CB7924DC6EB86

F584E2687B8D1D11637925BF3181F31A4D78BD91

60D6BDAE3FF796A056B64D471E23B12684EACAC45883C8B9F5A16651912C27AC

98304:589z40zmPxjYrQkVdev+qK73JyBhcX9psmHVsAAA48dcSisdcSiAAA93yrpdAAAE:yQEG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

FLOXIF mutex has been found

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

INFO

Checks supported languages

Failed to create an executable file in Windows directory

The sample compiled with english language support

Create files in a temporary directory

Checks proxy server information

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings