File name:

2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex

Full analysis: https://app.any.run/tasks/01420208-dc6d-4fa7-b103-d7e7084bd2b1
Verdict: Malicious activity
Analysis date: June 22, 2025, 01:24:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

740776DF16625B84605AD816DA39D58C

SHA1:

D385ADDE52E23380CDEBFDBDA42B38024A4E9A1B

SHA256:

71810C952B4985250945457F8375E198BA6224A3F5538D1F57F37A45464A60E3

SSDEEP:

1536:4Oz+tMNJCPHj7NmMkRUrP5mnmhIaMnx1PQApI0i:rz+8oXB7hYy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)

    • Starts itself from another location

      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)

    • Reads security settings of Internet Explorer

      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)
      • asih.exe (PID: 768)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2976)

    • Application launched itself

      • updater.exe (PID: 2976)

  • INFO

    • Create files in a temporary directory

      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)
      • asih.exe (PID: 768)

    • Process checks computer location settings

      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)
      • asih.exe (PID: 768)

    • Checks supported languages

      • asih.exe (PID: 768)
      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)
      • updater.exe (PID: 2976)
      • updater.exe (PID: 1096)

    • Checks proxy server information

      • asih.exe (PID: 768)
      • slui.exe (PID: 4012)

    • Reads the computer name

      • asih.exe (PID: 768)
      • 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe (PID: 1720)
      • updater.exe (PID: 2976)

    • Reads the machine GUID from the registry

      • asih.exe (PID: 768)

    • Reads the software policy settings

      • asih.exe (PID: 768)
      • slui.exe (PID: 4012)

    • UPX packer has been detected

      • asih.exe (PID: 768)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:02 12:59:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 12288
InitializedDataSize: 12288
UninitializedDataSize: 32768
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.1.7
ProductVersionNumber: 2.0.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0x5)
ObjectFileType: Unknown
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe asih.exe slui.exe updater.exe no specs updater.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
768"C:\Users\admin\AppData\Local\Temp\asih.exe" C:\Users\admin\AppData\Local\Temp\asih.exe
2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\asih.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
1096"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x220,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1720"C:\Users\admin\Desktop\2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe" C:\Users\admin\Desktop\2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2976"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 415
Read events
7 415
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1096updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:F5E5B6B2C0899F996E57262048E4A7BC
SHA256:53B00CF3FAFEB39BDCC3FA2AAB3E00625146A8B44383B6DFAF5594FED9B775FF
768asih.exeC:\Users\admin\AppData\Local\Temp\asihed.exehtml
MD5:DEC7D1CFD09356E0ACEAC632BFDC6AA0
SHA256:87EA31CE647AAF4353E5F3A54F8DCF9EB5C6D4C911334D5D5BCAA6A7290485B7
17202025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex.exeC:\Users\admin\AppData\Local\Temp\asih.exeexecutable
MD5:42870DB329D6F5ED41A6F54823EB5F16
SHA256:97B6BEACD72277C41A1AF8F7C6AA7D08D722964B41DEEDA510D9242584DEC38B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
24
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.36.225.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
888
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.36.225.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
888
RUXIMICS.exe
GET
200
23.36.225.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
2940
svchost.exe
GET
200
23.36.225.61:80
http://x1.c.lencr.org/
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
888
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
888
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.36.225.233:80
www.microsoft.com
AKAMAI-AS
CH
whitelisted
5944
MoUsoCoreWorker.exe
23.36.225.233:80
www.microsoft.com
AKAMAI-AS
CH
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.36.225.233
whitelisted
emrlogistics.com
  • 44.213.46.149
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 23.36.225.61
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Downloader (P2P Zeus dropper UA)
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-22_740776df16625b84605ad816da39d58c_cryptolocker_elex