Malware analysis Fluxus Download_35427597.exe Malicious activity

Add for printing

File name:	Fluxus Download_35427597.exe
Full analysis:	https://app.any.run/tasks/a93bffac-3355-466b-b28e-a46df68d4cc1
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 08, 2025, 16:39:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc pastebin discord phishing reflection loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	15D1C495FF66BF7CEA8A6D14BFDF0A20
SHA1:	942814521FA406A225522F208AC67F90DBDE0AE7
SHA256:	61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42
SSDEEP:	98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 3652)
SUSPICIOUS
- Checks Windows Trust Settings
  - Fluxus Download_35427597.exe (PID: 6196)
- Reads security settings of Internet Explorer
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
- Start notepad (likely ransomware note)
  - Fluxus Download_35427597.exe (PID: 6196)
- Process drops legitimate windows executable
  - firefox.exe (PID: 4504)
  - WinRAR.exe (PID: 7120)
- Detects reflection assembly loader (YARA)
  - Fluxus_IDE.exe (PID: 2216)
- Connects to unusual port
  - Fluxus_IDE.exe (PID: 2216)
INFO
- The sample compiled with english language support
  - Fluxus Download_35427597.exe (PID: 6196)
  - firefox.exe (PID: 4504)
  - WinRAR.exe (PID: 7120)
  - msedge.exe (PID: 7812)
- Checks supported languages
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
  - identity_helper.exe (PID: 720)
- Reads the computer name
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
  - identity_helper.exe (PID: 720)
- Reads the machine GUID from the registry
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
- Checks proxy server information
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
- Reads the software policy settings
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
- Sends debugging messages
  - Fluxus Download_35427597.exe (PID: 6196)
- Creates files or folders in the user directory
  - Fluxus Download_35427597.exe (PID: 6196)
  - Fluxus_IDE.exe (PID: 2216)
- The process uses the downloaded file
  - Fluxus Download_35427597.exe (PID: 6196)
  - firefox.exe (PID: 4504)
  - WinRAR.exe (PID: 7120)
  - Fluxus_IDE.exe (PID: 2216)
- Process checks computer location settings
  - Fluxus Download_35427597.exe (PID: 6196)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 7044)
- Manual execution by a user
  - firefox.exe (PID: 6060)
  - Fluxus_IDE.exe (PID: 2216)
  - WinRAR.exe (PID: 7120)
  - WinRAR.exe (PID: 5712)
- Application launched itself
  - firefox.exe (PID: 6060)
  - firefox.exe (PID: 4504)
  - msedge.exe (PID: 6192)
- Disables trace logs
  - Fluxus_IDE.exe (PID: 2216)
- Reads Environment values
  - Fluxus_IDE.exe (PID: 2216)
  - identity_helper.exe (PID: 720)
- Attempting to use instant messaging service
  - msedge.exe (PID: 3652)
- Connects to unusual port
  - msedge.exe (PID: 3652)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7812)
  - WinRAR.exe (PID: 7120)
- Create files in a temporary directory
  - Fluxus_IDE.exe (PID: 2216)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:18 17:00:18+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.22
CodeSize:	4353024
InitializedDataSize:	1675776
UninitializedDataSize:	-
EntryPoint:	0x398c98
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Download Manager
FileVersion:	1
InternalName:	Download Manager
LegalCopyright:	Download Manager
OriginalFileName:	Download Manager
ProductName:	Download Manager
ProductVersion:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

207

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

720

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7044 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1512

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

1520

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2728 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1540 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1da4c32-ca09-4cd4-a05b-e693f1f5dcb7} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 1cabf89ef50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll

1744

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1752

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5500 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2100

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2608 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2216

"C:\Users\admin\Downloads\Fluxus\Fluxus_IDE.exe"

C:\Users\admin\Downloads\Fluxus\Fluxus_IDE.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Fluxus_IDE

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\fluxus\fluxus_ide.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2448

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8080 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3632

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8168 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3652

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2592 --field-trial-handle=2396,i,1053400204155703207,3147285184452064289,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

27 396

Read events

27 255

Write events

127

Delete events

Modification events


(PID) Process:	(6196) Fluxus Download_35427597.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6196) Fluxus Download_35427597.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6196) Fluxus Download_35427597.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6196) Fluxus Download_35427597.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:
(PID) Process:	(4504) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(5712) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5712) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5712) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5712) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\Fluxus.zip
(PID) Process:	(5712) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120

Add for printing

Executable files

Suspicious files

610

Text files

135

Unknown types

Dropped files

PID	Process	Filename		Type
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:026CEF24F5A08DFB690DC814849AC227	SHA256:FD94F49FE23CFA9376A0A18BE17B78C4C7841A95A35E82425632D7748BACB4BF
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:4F073437B7BCE4EB91CBE4FC00CBBBD1	SHA256:BCD1EA56D48E26B1DB4528508A84BFAF2266F2A1625F5BD726C66DCB6FA222CD
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		der
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htm		text
		MD5:C767C06D3BA007B50D2F6A98E8D2D4E9	SHA256:DB9BE0A578CA2E203EF24E536022CF207FEF24472B9ECF57DA472E65B40B8C57
4504	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F44F0D8080C8C3429C5AB2379F33E907_9F640C49FF73611C0D8CAD8C0D537F4B		der
		MD5:E4473A2DC6BFE83B9C37FAB08A0576E0	SHA256:94F762FF520CCE4EB40036DB16C810C35A7E51450245367541D603A21BAAD193
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:3A16815693F19787E258AAFA4122A710	SHA256:9FAF6DCDFB130CAAB6313E4FFEBC31C4279E286C7F90B4337813F90B123A70F9
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C2C9D7FCC58B6FD9BF152E66809C1BBE_9962014287DF49023620C3F0C27B8ACE		binary
		MD5:97BD1114D1ECEF635B8010E2E68BBAAE	SHA256:CFC3872D4A39528D4B08CAD8A704F95974D821996CF5E8526C5FB31BBAAA90D3
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F44F0D8080C8C3429C5AB2379F33E907_9F640C49FF73611C0D8CAD8C0D537F4B		binary
		MD5:A3EEFAFDFB3FBACD37AF3F80EA7D633D	SHA256:72068EE475317827E9528DC3A5B465AD866035CBFA9467750F754C54B4DDD3F8
6196	Fluxus Download_35427597.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\geo[1].htm		text
		MD5:8E2DE0DEB87362B6D1FE3BDAAB02387F	SHA256:21BD2218E387A3E341DE534BEBF1E7F8AA2FBA64B97C778787C241E61D35B83F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

276

DNS requests

384

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6196	Fluxus Download_35427597.exe	GET	200	142.250.185.67:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
3984	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	142.250.184.195:80	http://o.pki.goog/s/wr3/0Yg/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDRiI70rSJu9AnH4wvTqQA5	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	142.250.185.67:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	142.250.184.195:80	http://o.pki.goog/s/wr3/URM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEFET1OsgXJOMCsceBPevDRA%3D	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	142.250.185.67:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	142.250.185.67:80	http://c.pki.goog/r/r4.crl	unknown	—	—	unknown
6196	Fluxus Download_35427597.exe	GET	200	65.9.90.182:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D	unknown	—	—	unknown
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6196	Fluxus Download_35427597.exe	GET	200	65.9.98.16:80	http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEAsG7SjIJKGIOV3vwg87c8M%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
3984	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3984	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	92.123.104.33:443	www.bing.com	Akamai International B.V.	DE	unknown
6196	Fluxus Download_35427597.exe	35.190.60.70:443	www.dlsft.com	GOOGLE	US	whitelisted
6196	Fluxus Download_35427597.exe	142.250.185.67:80	ocsp.pki.goog	GOOGLE	US	whitelisted
6196	Fluxus Download_35427597.exe	142.250.184.195:80	o.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.167 23.48.23.176 23.48.23.177 23.48.23.164 23.48.23.145 23.48.23.156 23.48.23.173	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
google.com	216.58.212.142	whitelisted
www.dlsft.com	35.190.60.70	unknown
ocsp.pki.goog	142.250.185.67	whitelisted
c.pki.goog	142.250.185.67	whitelisted
o.pki.goog	142.250.184.195	unknown
dlsft.com	35.190.60.70	unknown
filedm.com	104.21.48.1 104.21.96.1 104.21.112.1 104.21.64.1 104.21.32.1 104.21.16.1 104.21.80.1	malicious

Threats

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
3652	msedge.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3652	msedge.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3652	msedge.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
3652	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge

Add for printing

Process	Message
Fluxus Download_35427597.exe	Error: (undefined) has no property - value
Fluxus Download_35427597.exe	at getFileInfo.@307@46 (this://app/main.html(329))
Fluxus Download_35427597.exe
Fluxus Download_35427597.exe
Fluxus Download_35427597.exe	at initializeDynamicVariables (this://app/main.html(351))
Fluxus Download_35427597.exe	scanning node question /questions/question
Fluxus Download_35427597.exe	scanning node question /questions/question
Fluxus Download_35427597.exe	scanning node question /questions/question
Fluxus Download_35427597.exe	scanning node question /questions/question
Fluxus Download_35427597.exe	scanning node question /questions/question

General Info

Fluxus Download_35427597.exe

15D1C495FF66BF7CEA8A6D14BFDF0A20

942814521FA406A225522F208AC67F90DBDE0AE7

61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42

98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Start notepad (likely ransomware note)

Process drops legitimate windows executable

Detects reflection assembly loader (YARA)

Connects to unusual port

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Sends debugging messages

Creates files or folders in the user directory

The process uses the downloaded file

Process checks computer location settings

Reads security settings of Internet Explorer

Manual execution by a user

Application launched itself

Disables trace logs

Reads Environment values

Attempting to use instant messaging service

Connects to unusual port

Executable content was dropped or overwritten

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings