File name:

2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe

Full analysis: https://app.any.run/tasks/d52430b0-4e49-4785-b59e-9fb9620d6505
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 05:24:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
cryptolocker
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

CC53EFBD10590DBAC70664D8EE8AA53A

SHA1:

20A958FC50BA05ED2B6829A2FEBE0E26408C0D8A

SHA256:

90DE034D422E27E2171A16B8FD255C097DA74903C13AC767BE4C32CB8F87F6C6

SSDEEP:

768:HNqN8jWUNQH3HlJTKZKCwOl8QSbQ20RPrEFjtWcO+wMVm+slAMvcW39ZltLdwLph:tq6WUOXF55QS2utF0+B2fHwLph

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CRYPTOLOCKER has been detected (SURICATA)

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)

    • Starts itself from another location

      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)

    • Reads security settings of Internet Explorer

      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)
      • rewok.exe (PID: 3948)

    • Application launched itself

      • updater.exe (PID: 2168)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2168)

  • INFO

    • Process checks computer location settings

      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)
      • rewok.exe (PID: 3948)

    • Reads the computer name

      • rewok.exe (PID: 3948)
      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)
      • updater.exe (PID: 2168)

    • Checks supported languages

      • rewok.exe (PID: 3948)
      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)
      • updater.exe (PID: 2168)
      • updater.exe (PID: 2120)

    • Create files in a temporary directory

      • 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe (PID: 4684)
      • rewok.exe (PID: 3948)

    • Checks proxy server information

      • rewok.exe (PID: 3948)
      • slui.exe (PID: 5288)

    • Reads the machine GUID from the registry

      • rewok.exe (PID: 3948)

    • Reads the software policy settings

      • rewok.exe (PID: 3948)
      • slui.exe (PID: 5288)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:05:13 14:40:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 11264
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0x127c
OSVersion: 5
ImageVersion: 1
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.1.7
ProductVersionNumber: 2.0.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0x5)
ObjectFileType: Unknown
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe rewok.exe #CRYPTOLOCKER svchost.exe slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2120"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2168"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3948"C:\Users\admin\AppData\Local\Temp\rewok.exe" C:\Users\admin\AppData\Local\Temp\rewok.exe
2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rewok.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4684"C:\Users\admin\Desktop\2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe" C:\Users\admin\Desktop\2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5288C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 200
Read events
8 200
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2120updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:CFA15CDE29C852A107A64DB437D8FA8F
SHA256:9C7CAC75DBAD7734BD7E2FCF67D5849001F421554415B66BEDB304434EE941DF
46842025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exeC:\Users\admin\AppData\Local\Temp\rewok.exeexecutable
MD5:F660269C0A4551C03978FC0514D432B2
SHA256:4E9F6FE9DE3CD575BCA66309772B0C68F21BB9208777FAAF07D78AD8D0A13008
3948rewok.exeC:\Users\admin\AppData\Local\Temp\rewoked.exehtml
MD5:DEC7D1CFD09356E0ACEAC632BFDC6AA0
SHA256:87EA31CE647AAF4353E5F3A54F8DCF9EB5C6D4C911334D5D5BCAA6A7290485B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
57
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1352
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1352
RUXIMICS.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1352
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1352
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1352
RUXIMICS.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.3.109.244
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.3
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.128
  • 20.190.159.75
  • 40.126.31.129
whitelisted
spinistry.com
  • 64.98.135.121
malicious
client.wns.windows.com
  • 20.59.87.227
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain related to Win32/Cryptolocker (spinistry .com)
A Network Trojan was detected
ET MALWARE Downloader (P2P Zeus dropper UA)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-01_cc53efbd10590dbac70664d8ee8aa53a_cryptolocker_elex.exe