File name:	2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe
Full analysis:	https://app.any.run/tasks/240ef093-433a-4d40-9c03-f9be148b2cc1
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	August 01, 2025, 05:24:38
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware cryptolocker
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:	3C64ED5EE12DF0077007B20E21E0F457
SHA1:	8B6C845617A96E82EEE4FBC1DCF6C5B0CE8D4143
SHA256:	059978F792332316EF46E61ECFE156F9F2960382DC963C699AECA9189B0AD118
SSDEEP:	768:jOsm+tMuGJCPTptcGj7RZNmXz09VSl7HKXjpYYYD4UM3L0KN9jvLViZnHcj1fusp:jOz+tMNJCPHj7Nm4al2JY+ZzOMC7e

.exe	\|	Win32 Executable MS Visual C++ (generic) (30.9)
.exe	\|	Win64 Executable (generic) (27.3)
.exe	\|	UPX compressed Win32 Executable (26.8)
.dll	\|	Win32 Dynamic Link Library (generic) (6.5)
.exe	\|	Win32 Executable (generic) (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:10:02 12:59:11+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	8
CodeSize:	12288
InitializedDataSize:	12288
UninitializedDataSize:	32768
EntryPoint:	0x1000
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.0.1.7
ProductVersionNumber:	2.0.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0x5)
ObjectFileType:	Unknown
FileSubtype:	-


(PID) Process:	(2804) 2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2804) 2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2804) 2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2804) 2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
6292	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\updater.log		text
		MD5:5CBFD96CD3626D1CDFA51CA0AF603A38	SHA256:0B7924D41635FB897D9941C285619206670E734E1AA32B9FA6D8FB91CAE078FB
2804	2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe	C:\Users\admin\AppData\Local\Temp\asih.exe		executable
		MD5:2ACEF63752520401AD274419399E5E63	SHA256:83242535EF61466341EFB476F6D42DED55F37A96738780FA2A717C557F63DB69
1508	asih.exe	C:\Users\admin\AppData\Local\Temp\asihed.exe		html
		MD5:DEC7D1CFD09356E0ACEAC632BFDC6AA0	SHA256:87EA31CE647AAF4353E5F3A54F8DCF9EB5C6D4C911334D5D5BCAA6A7290485B7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	—	104.26.6.37:443	https://emrlogistics.com/fr/to2.exe	unknown	—	—	—
—	—	POST	400	20.190.160.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
5468	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.66:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.66:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5468	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5468	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	142.250.74.206	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
emrlogistics.com	13.216.111.180	malicious
login.live.com	20.190.160.22 40.126.32.140 20.190.160.66 40.126.32.136 20.190.160.65 40.126.32.134 20.190.160.132 20.190.160.131	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
self.events.data.microsoft.com	52.168.117.175	whitelisted
activation-v2.sls.microsoft.com	20.165.238.210	whitelisted

PID	Process	Class	Message
2200	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected Domain related to Win32/Cryptolocker (emrlogistics .com)
—	—	A Network Trojan was detected	ET MALWARE Downloader (P2P Zeus dropper UA)
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

General Info

2025-08-01_3c64ed5ee12df0077007b20e21e0f457_cryptolocker_elex.exe

3C64ED5EE12DF0077007B20E21E0F457

8B6C845617A96E82EEE4FBC1DCF6C5B0CE8D4143

059978F792332316EF46E61ECFE156F9F2960382DC963C699AECA9189B0AD118

768:jOsm+tMuGJCPTptcGj7RZNmXz09VSl7HKXjpYYYD4UM3L0KN9jvLViZnHcj1fusp:jOz+tMNJCPHj7Nm4al2JY+ZzOMC7e

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CRYPTOLOCKER has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts itself from another location

Application launched itself

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Process checks whether UAC notifications are on

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings