File name:

2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader

Full analysis: https://app.any.run/tasks/aef85732-42d4-42fb-8e0f-e134c3e41224
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 16:18:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
floxif
backdoor
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

AD155489D0EF2AC209792E191032516D

SHA1:

CE3FD5AFF5285259D23E980AD0AF0D1694608058

SHA256:

FE3DDF81ABD6423E3B1F83CD7417583AB76641F5CAF95700C6F7475ADF7E499B

SSDEEP:

98304:hbkPPn1AOkGBGQXKMfe6rykL2WarMCcX0x/5OxqXIL/q0e3pO9BP+XuM5z:3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • FLOXIF mutex has been found

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Changes the AppInit_DLLs value (autorun option)

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Connects to the CnC server

      • WINWORD.EXE (PID: 3096)
      • OSPPSVC.EXE (PID: 2748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Process drops legitimate windows executable

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Reads security settings of Internet Explorer

      • OSPPSVC.EXE (PID: 2748)

    • Contacting a server suspected of hosting an CnC

      • OSPPSVC.EXE (PID: 2748)
      • WINWORD.EXE (PID: 3096)

    • Reads the Internet Settings

      • OSPPSVC.EXE (PID: 2748)

  • INFO

    • The sample compiled with english language support

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Failed to create an executable file in Windows directory

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)

    • Reads the machine GUID from the registry

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)
      • OSPPSVC.EXE (PID: 2748)

    • Checks supported languages

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • OSPPSVC.EXE (PID: 2748)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Reads the computer name

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)
      • OSPPSVC.EXE (PID: 2748)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3096)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)
      • notepad.exe (PID: 2904)
      • notepad.exe (PID: 1196)

    • Creates files in the program directory

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • Create files in a temporary directory

      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 2472)
      • 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe (PID: 972)

    • UPX packer has been detected

      • notepad.exe (PID: 2904)
      • WINWORD.EXE (PID: 3096)
      • OSPPSVC.EXE (PID: 2748)

    • Checks proxy server information

      • OSPPSVC.EXE (PID: 2748)

    • Reads Microsoft Office registry keys

      • OSPPSVC.EXE (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:12 17:14:20+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2634752
InitializedDataSize: 1180672
UninitializedDataSize: -
EntryPoint: 0x235412
OSVersion: 5.1
ImageVersion: 13
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 13.0.0.656
ProductVersionNumber: 13.0.0.656
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Builton: Fri 01/12/2024 12:14:19.08
Builtas: UNICODE
CompanyName: Corel Corporation
FileDescription: Corel Update Helper x32
FileVersion: 13.0.0.656
InternalName: Corel Update Helper
LegalCopyright: Copyright(c) 2021 Corel Corporation
LegalTrademarks: Copyright(c) 2021 Corel Corporation
OriginalFileName: CUH.exe
ProductName: Corel Common Framework
ProductVersion: 13.0.0.656
LanguageBuildID: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FLOXIF 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe #FLOXIF 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe winword.exe osppsvc.exe notepad.exe no specs notepad.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
972"C:\Users\admin\Desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe" C:\Users\admin\Desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe
explorer.exe
User:
admin
Company:
Corel Corporation
Integrity Level:
HIGH
Description:
Corel Update Helper x32
Exit code:
0
Version:
13.0.0.656
Modules
Images
c:\users\admin\desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1196"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader_PCULog1.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2472"C:\Users\admin\Desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe" C:\Users\admin\Desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe
explorer.exe
User:
admin
Company:
Corel Corporation
Integrity Level:
MEDIUM
Description:
Corel Update Helper x32
Exit code:
0
Version:
13.0.0.656
Modules
Images
c:\users\admin\desktop\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2748"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Software Protection Platform Service
Version:
14.0.0370.400 (longhorn(wmbla).090811-1833)
Modules
Images
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2904"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader_PCULog0.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3096"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\khosting.rtf"C:\Program Files\microsoft office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
5 709
Read events
5 095
Write events
277
Delete events
337

Modification events

(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\CUH\2.0
Operation:writeName:TaskId
Value:
CorelUpdateHelperTask-E78398FBFEA5DDF15050EE6D7780661C
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:cardnumber
Value:
7
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:7
Value:
44E672B935EE
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:HFNCv2
Value:
44E672B935EE
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:networkcard
Value:
44E672B935EE
(PID) Process:(1080) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
Operation:writeName:{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
Value:
D4DA6D3F8867
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:model
Value:
DELL|DELL
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:bios
Value:
DELL
(PID) Process:(2472) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_CURRENT_USER\Software\Corel\PCU
Operation:writeName:HFIv2
Value:
V213C1B8CD6B5FF8D15B4CDD2B209FEE2D
(PID) Process:(972) 2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:AppInit_DLLs
Value:
C:\PROGRA~1\COMMON~1\System\symsrv.dll
Executable files
3
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9083.tmp.cvr
MD5:
SHA256:
9722025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\Local\Temp\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader_PCULog1.txttext
MD5:A0DD14F0615947F653B48DAB0AEADB11
SHA256:4748EB96885437E78346E1B8474BEAE990B954C894589BC5C5A2B551ED072079
3096WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:39DE07EA0A7C40A3341E5611E2BB16EF
SHA256:818CC304A981253FBC5B4DFF989392004AEE5F21D164577B9D107B8E1E26901D
3096WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\khosting.rtf.LNKbinary
MD5:1C67A1BD624EE94B7C55E46E4D2C2C9C
SHA256:19E515192778D3C690C64A74988B2D941E9A5DA4960EC5143B5A534CFF7D2585
24722025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
2748OSPPSVC.EXEC:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.datbinary
MD5:83BE0615BC9DC6CB1B91FDACFB582910
SHA256:8A34550AFE82431AA0544288F81D01750EFCD0135E7FD57FFCBC635E18F2B168
3096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C9532ABF-F4C5-46A1-B568-8686C89981A2}.tmpbinary
MD5:F5B0D612B81DBE659460ACF6BF974A31
SHA256:09477040D199F062CB9A8E6AC315D6509E992827CDBE26744FF0DF0CB1752B3A
3096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9D4EB6A8-2B95-4A09-A987-C2C4C608428E}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
24722025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeC:\Users\admin\AppData\Local\Temp\2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader_PCULog0.txttext
MD5:11C551C4A5211055A931E47FFC3D380A
SHA256:285B81AD4F163AD43166423C4946B177C94654D816EF35BA5B61B40F3FF0BEDA
9722025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
14
DNS requests
3
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3096
WINWORD.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
3096
WINWORD.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
2748
OSPPSVC.EXE
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
3096
WINWORD.EXE
45.33.18.44:80
www.aieov.com
Linode, LLC
US
malicious
2748
OSPPSVC.EXE
45.33.18.44:80
www.aieov.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.33.18.44
  • 72.14.178.174
  • 45.33.30.197
  • 45.33.23.183
  • 173.255.194.134
  • 72.14.185.43
  • 45.33.20.235
  • 45.33.2.79
  • 198.58.118.167
  • 45.79.19.196
  • 96.126.123.244
  • 45.56.79.23
malicious

Threats

PID
Process
Class
Message
3096
WINWORD.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
3096
WINWORD.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
3096
WINWORD.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
2748
OSPPSVC.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
2748
OSPPSVC.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
2748
OSPPSVC.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
2748
OSPPSVC.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
2748
OSPPSVC.EXE
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_ad155489d0ef2ac209792e191032516d_amadey_bkransomware_floxif_hijackloader