File name:	2025-06-21_fc803dc09fbb7648d42f78d84786a417_cryptolocker_elex
Full analysis:	https://app.any.run/tasks/2c40551a-4b4b-476b-8e18-3d7d89d4b0cd
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 06:42:21
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	FC803DC09FBB7648D42F78D84786A417
SHA1:	E54D69951FB3D6A30886AF8092907B2001B9F39A
SHA256:	182DDEACABE58EFB6782509FF5BB0A060318D80A23EC7CF62277F10DB964FF37
SSDEEP:	768:usm+tMuGJCPTptcGj7RZNmGQcKXjx9mYYD4zeb:uz+tMNJCPHj7NmDxHYLb

.exe	\|	Win32 Executable (generic) (42.6)
.exe	\|	Clipper DOS Executable (19.1)
.exe	\|	Generic Win/DOS Executable (18.9)
.exe	\|	DOS Executable Generic (18.9)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:10:02 12:59:11+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	11776
InitializedDataSize:	12288
UninitializedDataSize:	32768
EntryPoint:	0x1000
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

PID	Process	Filename		Type
6612	asih.exe	C:\Users\admin\AppData\Local\Temp\asihed.exe		html
		MD5:DEC7D1CFD09356E0ACEAC632BFDC6AA0	SHA256:87EA31CE647AAF4353E5F3A54F8DCF9EB5C6D4C911334D5D5BCAA6A7290485B7
2952	2025-06-21_fc803dc09fbb7648d42f78d84786a417_cryptolocker_elex.exe	C:\Users\admin\AppData\Local\Temp\asih.exe		executable
		MD5:F779A0A38314C2B0619CA747EE955E2B	SHA256:6B3C7852AE60319B1D2001BB09A9939030877FEB163508D1F9F2A95A39146FAC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4808	RUXIMICS.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4808	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2940	svchost.exe	GET	200	69.192.161.44:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4808	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
4808	RUXIMICS.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
emrlogistics.com	44.213.46.149	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
x1.c.lencr.org	69.192.161.44	whitelisted
self.events.data.microsoft.com	13.89.179.10	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE Downloader (P2P Zeus dropper UA)
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

General Info

2025-06-21_fc803dc09fbb7648d42f78d84786a417_cryptolocker_elex

FC803DC09FBB7648D42F78D84786A417

E54D69951FB3D6A30886AF8092907B2001B9F39A

182DDEACABE58EFB6782509FF5BB0A060318D80A23EC7CF62277F10DB964FF37

768:usm+tMuGJCPTptcGj7RZNmGQcKXjx9mYYD4zeb:uz+tMNJCPHj7NmDxHYLb

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings