File name:

2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex

Full analysis: https://app.any.run/tasks/60682324-a21b-4c70-b471-c1e7aa701cff
Verdict: Malicious activity
Analysis date: June 21, 2025, 07:36:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

2D7D4A48AE096F1AA03FD7EC4FBD18DA

SHA1:

E1B2A09E7CF85F8EC8CA5058159BF5E301910D7F

SHA256:

9373F0F16FAAB94B6E2FD36F927E5DC8B9DBE7C8C9CE63A7AE3D7893279C0506

SSDEEP:

384:9tRovUFK45TjWVBL2SIn070tox1yWYQOvZK6NMJ1qfsn+:3kG5Tj8/In0AKXixsJo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)

    • Creates file in the systems drive root

      • pissa.exe (PID: 2604)

    • Reads security settings of Internet Explorer

      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)
      • pissa.exe (PID: 2604)

    • Executable content was dropped or overwritten

      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)

  • INFO

    • Process checks computer location settings

      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)
      • pissa.exe (PID: 2604)

    • Checks proxy server information

      • pissa.exe (PID: 2604)
      • slui.exe (PID: 2448)

    • Checks supported languages

      • pissa.exe (PID: 2604)
      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)

    • Create files in a temporary directory

      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)
      • pissa.exe (PID: 2604)

    • Reads the machine GUID from the registry

      • pissa.exe (PID: 2604)

    • Reads the computer name

      • pissa.exe (PID: 2604)
      • 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe (PID: 6620)

    • Creates files or folders in the user directory

      • pissa.exe (PID: 2604)

    • Reads the software policy settings

      • pissa.exe (PID: 2604)
      • slui.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.3)
.exe | Clipper DOS Executable (11.7)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:16 02:43:40+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 16384
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0xa730
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe pissa.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2448C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2604"C:\Users\admin\AppData\Local\Temp\pissa.exe" C:\Users\admin\AppData\Local\Temp\pissa.exe
2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\pissa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
6620"C:\Users\admin\Desktop\2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe" C:\Users\admin\Desktop\2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
Total events
7 387
Read events
7 384
Write events
3
Delete events
0

Modification events

(PID) Process:(2604) pissa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2604) pissa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2604) pissa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2604pissa.exeC:\Users\admin\AppData\Local\Temp\pissec.exehtml
MD5:E89F75F918DBDCEE28604D4E09DD71D7
SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
66202025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex.exeC:\Users\admin\AppData\Local\Temp\pissa.exeexecutable
MD5:78A0917DAFD165506C808D899BB9EC1D
SHA256:1DC1C7FB2C078DD6F823BF901DB31717173B081D8B2BDB7ABD21B7252FE31ED7
2604pissa.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\rch[1].htmhtml
MD5:E89F75F918DBDCEE28604D4E09DD71D7
SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
856
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
76.223.54.146:443
https://el-padrino.com/elpatio/rch.exe
unknown
html
114 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
2940
svchost.exe
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
856
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
856
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
el-padrino.com
  • 13.248.169.48
  • 76.223.54.146
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Downloader (P2P Zeus dropper UA)
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_2d7d4a48ae096f1aa03fd7ec4fbd18da_cryptolocker_elex