File name:

2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif

Full analysis: https://app.any.run/tasks/0c8a0d4f-299e-4512-a62e-d96c1d0ec904
Verdict: Malicious activity
Analysis date: March 24, 2025, 13:11:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

98FA0BA8637688B8592A0778C672A8C0

SHA1:

912E355C9CFB5E4FAFE156EB187EF5FA697485B7

SHA256:

7866ED6AA2E9EFD167D1F0ABCE8E2D025094F604A67F31414B1AB06A465B8504

SSDEEP:

49152:Vo0koYGWl7IkXJYIWiOSI/4qjuql1uJlEMPgMXnibxFUXFVZGODo7kNvN725PpPd:VLlSE4qyqyIGgMkWXFPmfRe5A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7376)
      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)

    • Connects to the CnC server

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7756)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)

    • Reads security settings of Internet Explorer

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7756)

    • Process drops legitimate windows executable

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7756)

    • Contacting a server suspected of hosting an CnC

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7756)

    • Starts CMD.EXE for commands execution

      • FileCoAuth.exe (PID: 7756)

  • INFO

    • Checks supported languages

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)

    • The sample compiled with english language support

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7756)

    • Reads the computer name

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)

    • Creates files in the program directory

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)

    • Checks proxy server information

      • 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe (PID: 7464)
      • slui.exe (PID: 8004)
      • FileCoAuth.exe (PID: 7756)

    • Reads the software policy settings

      • slui.exe (PID: 8004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:09:07 04:17:44+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1465856
InitializedDataSize: 1657856
UninitializedDataSize: -
EntryPoint: 0x112640
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.2.0.0
ProductVersionNumber: 5.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
BaseVersion: 6.20.000
CompanyName: CANON INC.
FileDescription: Canon Printer Driver Installer
FileVersion: 5, 2, 0, 0
InternalName: Setup.exe
LegalCopyright: Copyright CANON INC. 2015
OriginalFileName: Setup.exe
ProductName: Installer Module
ProductVersion: 5, 2, 0, 0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe filecoauth.exe slui.exe 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7376"C:\Users\admin\Desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe" C:\Users\admin\Desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exeexplorer.exe
User:
admin
Company:
CANON INC.
Integrity Level:
MEDIUM
Description:
Canon Printer Driver Installer
Exit code:
3221226540
Version:
5, 2, 0, 0
Modules
Images
c:\users\admin\desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7464"C:\Users\admin\Desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe" C:\Users\admin\Desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
explorer.exe
User:
admin
Company:
CANON INC.
Integrity Level:
HIGH
Description:
Canon Printer Driver Installer
Exit code:
1
Version:
5, 2, 0, 0
Modules
Images
c:\users\admin\desktop\2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\cfgmgr32.dll
7756C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8004C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 305
Read events
4 299
Write events
6
Delete events
0

Modification events

(PID) Process:(7464) 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7464) 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7464) 2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7756) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7756) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7756) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
14
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LoggingPlatform.DLL.tmpexecutable
MD5:70B2B09FDD8A1FC5B49AFE6D5B704E75
SHA256:7F582B510B9F2112F52B95A4D94067CEB616924C95AF1496B817299E945FCA04
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-24.1311.7756.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\UpdateRingSettings.dll.tmpexecutable
MD5:10C70D402E14519B7C658CD63D002F44
SHA256:0DE1297F32A586DDB9D6984D9A26AB5468BB417101FFBD00FCBCAB4D9E68F4BC
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\MSVCP140.dll.tmpexecutable
MD5:F9F15D1E9267424683A6134DAEA5B9C6
SHA256:C850EE3550B64B0729D0E9B87C1BA97E4F9CBD357B2B0DCAF7EA612B066FC40C
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\VCRUNTIME140.dll.tmpexecutable
MD5:8B0EB3D2C6B67D7C42F187A6F1500156
SHA256:110B6B922A90BCA0FBCDD2EF62804EBF719F4124B3AF3EDB2F76461DA55ED93C
74642025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Telemetry.dll.tmpexecutable
MD5:9538BBAB5790456F97A6172659D26CA1
SHA256:D27E10EDE1C33FEBCFEF34EB6CB594C087FE6907224D375A070895F42F07EB4B
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuthLib.dll.tmpexecutable
MD5:D36779962B8DDC32DD4A54D62B9E7FE6
SHA256:448A061F04614EE8D0B0DB0E6D3513E44DC354B7C0F03A15567EC2626AB38921
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe.tmpexecutable
MD5:A166B4C2DA81EDD3BC3763A618F57230
SHA256:583EDCF613A42CFF074C588225F9E1039ECDD91D268D4AA4307A1858B07F6FD9
7756FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-24.1311.7756.1.odlbinary
MD5:F8124D4259223ACB0C1C17C04DC68EE2
SHA256:9D43C7A2BC1E03AFEF39EEEE35AF7371444D9C2610211CB867F2D0C5DDBF3991
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7464
2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
GET
403
45.56.79.23:80
http://www.aieov.com/logo.gif
unknown
malicious
2104
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7756
FileCoAuth.exe
GET
403
45.56.79.23:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7464
2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
45.56.79.23:80
www.aieov.com
Linode, LLC
US
malicious
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
7756
FileCoAuth.exe
45.56.79.23:80
www.aieov.com
Linode, LLC
US
malicious
2140
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8004
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.107
  • 2.16.164.32
  • 2.16.164.106
  • 2.16.164.120
  • 2.16.164.73
  • 2.16.164.18
  • 2.16.164.89
  • 2.16.164.24
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.56.79.23
  • 198.58.118.167
  • 45.33.23.183
  • 45.33.20.235
  • 45.79.19.196
  • 45.33.2.79
  • 173.255.194.134
  • 72.14.185.43
  • 45.33.18.44
  • 72.14.178.174
  • 45.33.30.197
  • 96.126.123.244
malicious
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7464
2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7756
FileCoAuth.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_98fa0ba8637688b8592a0778c672a8c0_amadey_bkransomware_floxif