File name:	2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif
Full analysis:	https://app.any.run/tasks/cb485653-6998-4a35-b173-aba859cee69a
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 13:19:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	floxif backdoor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	9DBC65F611532A9B23BC4A97D7051D39
SHA1:	86DD859984D03CC950F60C48AB98036E278F21FE
SHA256:	DAF1767EAE7B11A86E79513CC6CD658C8481F3BBF86418D38421AC50D18D84B9
SSDEEP:	98304:iJquOYGsg9aFGF2N05SQ6i0A5vxl9X2aiE57t:NF

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2015:04:09 07:25:45+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	1402368
InitializedDataSize:	563712
UninitializedDataSize:	-
EntryPoint:	0x1263ac
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	35.0.61.54677
ProductVersionNumber:	35.0.61.54677
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	USBSetupLauncher.exe
OriginalFileName:	USBSetupLauncher.exe
InternalName:	USBSetupLauncher
CompanyName:	Hewlett-Packard Development Company, LP
LegalCopyright:	Copyright (C) Hewlett-Packard Co. 2014
LegalTrademarks:	-
FileDescription:	USBSetupLauncher.exe
FileVersion:	35.0.61.54677
ProductName:	HP Digital Imaging
ProductVersion:	035.000.061.54677
ProductFamily:	HP Digital Imaging
ProductFileFlags:	1


(PID) Process:	(7688) 2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7688) 2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7688) 2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
7688	2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	C:\Users\admin\AppData\Local\Temp\conres.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4944	RUXIMICS.exe	GET	200	23.48.23.158:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7688	2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	GET	—	45.56.79.23:80	http://www.aieov.com/logo.gif	unknown	—	—	malicious
—	—	GET	304	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
4896	SIHClient.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
4896	SIHClient.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.130:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	POST	400	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
4896	SIHClient.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4944	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4944	RUXIMICS.exe	23.48.23.158:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7688	2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif.exe	45.56.79.23:80	www.aieov.com	Linode, LLC	US	malicious
6544	svchost.exe	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.184.206	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
crl.microsoft.com	23.48.23.158 23.48.23.167 23.48.23.159 23.48.23.194 23.48.23.162 23.48.23.177 23.48.23.169 23.48.23.166 23.48.23.143	whitelisted
5isohu.com	—	whitelisted
www.aieov.com	45.56.79.23 198.58.118.167 45.33.23.183 96.126.123.244 45.79.19.196 45.33.2.79 173.255.194.134 72.14.185.43 45.33.18.44 45.33.30.197 72.14.178.174 45.33.20.235	malicious
login.live.com	20.190.160.132 40.126.32.76 40.126.32.74 40.126.32.136 40.126.32.68 20.190.160.65 20.190.160.130 20.190.160.14	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	2.19.217.218	whitelisted

General Info

2025-03-24_9dbc65f611532a9b23bc4a97d7051d39_bkransomware_floxif

9DBC65F611532A9B23BC4A97D7051D39

86DD859984D03CC950F60C48AB98036E278F21FE

DAF1767EAE7B11A86E79513CC6CD658C8481F3BBF86418D38421AC50D18D84B9

98304:iJquOYGsg9aFGF2N05SQ6i0A5vxl9X2aiE57t:NF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

FLOXIF mutex has been found

Connects to the CnC server

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

INFO

The sample compiled with english language support

Checks proxy server information

Create files in a temporary directory

Checks supported languages

Failed to create an executable file in Windows directory

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings