File name:

2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader

Full analysis: https://app.any.run/tasks/81e4b7c3-df2e-4c2b-8328-e03473b3e028
Verdict: Malicious activity
Analysis date: November 19, 2024, 12:57:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

F7ECAB8E4E4D31561A85FAE83426A508

SHA1:

5ED0ADF3BD13234AEB6B73E8C458E75B6C6B8E01

SHA256:

848A30813AF6B5EE7B8C4613CD305DF89A0B1D539C199FE49AFD322F8D3F9BA1

SSDEEP:

98304:3Sl96U4Eu0Yjr49Hh856GoM6/aRFkoa/4laupLGOUfRA9NnuA044CVxQD+dsZ82X:mobMJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • FLOXIF has been detected (SURICATA)

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Connects to the CnC server

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Reads security settings of Internet Explorer

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Starts application with an unusual extension

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Contacting a server suspected of hosting an CnC

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Executable content was dropped or overwritten

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

  • INFO

    • Reads the computer name

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Checks supported languages

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Create files in a temporary directory

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Checks proxy server information

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Application launched itself

      • msedge.exe (PID: 5308)

    • UPX packer has been detected

      • 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe (PID: 5684)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 1808)
      • msedge.exe (PID: 5308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:19 01:31:56+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 7898112
InitializedDataSize: 7235584
UninitializedDataSize: -
EntryPoint: 0x63d028
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.3.94.5364
ProductVersionNumber: 2.3.94.5364
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Unicode
Comments: -
CompanyName: GOM & Company
FileDescription: GOM Player
FileVersion: 2, 3, 94, 5364
InternalName: GOM
LegalCopyright: Copyright 2003 GOM & Company All Rights Reserved.
LegalTrademarks: -
OriginalFileName: GOM.EXE
PrivateBuild: -
ProductName: GOM Player
ProductVersion: 2, 3, 94, 5364
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
49
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FLOXIF 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe toast.gom msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\AppData\Local\Temp\GOM\Toast.gom" /url=https://mini.gomlab.com/player/html/toast/toast_GLOBAL_N.html /x=65535 /y=65535 /w=300 /h=295 /type=4 /kill=20000 /lastshowtimekey=gom_lst /blockdatekey=gom_bd /newwindowtype=defaultbrowserC:\Users\admin\AppData\Local\Temp\GOM\Toast.gom
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
User:
admin
Company:
GOM & Company
Integrity Level:
MEDIUM
Description:
Toast Popup
Exit code:
0
Version:
1.0.0.5
Modules
Images
c:\users\admin\appdata\local\temp\gom\toast.gom
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
908"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7160 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1252"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4640 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1808"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2588 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2380"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3008"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8068 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3428"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5632 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3508"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6528 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7864 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3908"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2228,i,7174543495705852492,9542176708251191915,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
13 627
Read events
12 686
Write events
880
Delete events
61

Modification events

(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\GRETECH\GOMPLAYER\OPTION
Operation:writeName:smver
Value:
3
(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\GRETECH\GOMPLAYER\OPTION
Operation:writeName:mode
Value:
3
(PID) Process:(188) Toast.gomKey:HKEY_CURRENT_USER\SOFTWARE\GOM\GOMToast
Operation:writeName:gom_lst
Value:
20241119125732
(PID) Process:(188) Toast.gomKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(188) Toast.gomKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(188) Toast.gomKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5684) 2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\GRETECH\GOMPLAYER
Operation:writeName:EndingBrowser
Value:
Executable files
16
Suspicious files
335
Text files
104
Unknown types
4

Dropped files

PID
Process
Filename
Type
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:4302AC33571A665623F83CAA83E9D7B7
SHA256:85D864FDF43320E3535AD37F3D946A3BD648DF66622CBBCB079B976ABFA7FF41
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:C5325AF001C52ACA934EADBEA6E052BF
SHA256:9040F3F40AA15886F4EF60141B67E96542AC690A8FD9C9B4D52BDB0CF1B4C773
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_CBECBD5B884BB75B183807EECD99D9ADbinary
MD5:3B80AE3D155C6E0A96B6CE519A300950
SHA256:AC0FC11C5F8A5EC0F853396588BEC95A7C243E92177B64512D33B6795D650AFA
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_CBECBD5B884BB75B183807EECD99D9ADder
MD5:B7F65F22CF7D3ED1DBAE4BD716FD4E3D
SHA256:68042BE0E05FD5C0DEE4D8C0D51F319E2AA7D1F86A289386036A775F7D0B7884
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FAbinary
MD5:9C129F83801107272CB4467C69CA29D4
SHA256:A760003FA53C17E8590CF87BE92246A3ABEAC1712F47C2D619E895FA2DA5A100
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:06A8EB39B71A5ECFBED1D86C4F682F5B
SHA256:EE945128FFDFB9304EED6DB3179C81819E041108DBDFAF963480AAD7C008C1DA
5308msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFef9ad.TMP
MD5:
SHA256:
5308msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
56842024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GOM\Toast.gomexecutable
MD5:F48B1328A74530655364BCE7E5BEC3B2
SHA256:0880FC634A160F70F65C60C24592F5D87299A3E9F935E60E4D92B6994B99B24F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
118
TCP/UDP connections
160
DNS requests
158
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
GET
403
45.33.2.79:80
http://www.aieov.com/logo.gif
unknown
malicious
4932
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
GET
404
54.196.85.38:80
http://log.gomlab.com/player/playing?usmid=GOMPLAYER_READ_FAIL&build=&appver=2.3.94.5364&bit=32bit&os=windows1064bit&lang=eng&skin=users&launching=producticon&browser=msedge&settingmode=3&vrsetting=8
unknown
unknown
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
GET
403
45.33.2.79:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5024
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4932
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5024
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4932
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5684
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader.exe
45.33.2.79:80
www.aieov.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.145
  • 23.48.23.164
  • 23.48.23.159
  • 23.48.23.194
  • 23.48.23.169
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.33.2.79
  • 72.14.178.174
  • 45.56.79.23
  • 96.126.123.244
  • 45.79.19.196
  • 45.33.20.235
  • 173.255.194.134
  • 45.33.23.183
  • 45.33.30.197
  • 72.14.185.43
  • 45.33.18.44
  • 198.58.118.167
malicious
www.microsoft.com
  • 23.52.120.96
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
playinfo.gomlab.com
  • 18.66.112.8
  • 18.66.112.40
  • 18.66.112.55
  • 18.66.112.86
whitelisted
log.gomlab.com
  • 54.196.85.38
  • 44.199.112.97
unknown
mini.gomlab.com
  • 18.172.112.62
  • 18.172.112.86
  • 18.172.112.77
  • 18.172.112.13
unknown

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-11-19_f7ecab8e4e4d31561a85fae83426a508_bkransomware_floxif_hijackloader