File name:

2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe

Full analysis: https://app.any.run/tasks/5e87df6b-beeb-4c74-b6e7-3e0be1b3f21c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 05, 2025, 07:28:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
cryptolocker
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

F52F2CAB6885F2D3CA61B628B7265FF8

SHA1:

E93291693EB70F0FE6A5B20C65DC6297CECD9A4F

SHA256:

CD0A52B80E97677A30F0AD8F3FADDE64F064606F78042354E84A4272EFEA0A42

SSDEEP:

1536:B5R1pkJL88+BSQDjktBl01hJl8QAPM8Ho6cRDj9i4RR9+e:Ne2tDl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CRYPTOLOCKER has been detected (YARA)

      • misid.exe (PID: 1336)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)
      • misid.exe (PID: 1336)

    • Executable content was dropped or overwritten

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)

    • Starts itself from another location

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)

  • INFO

    • Create files in a temporary directory

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)

    • Checks supported languages

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)
      • misid.exe (PID: 1336)

    • Reads the computer name

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)
      • misid.exe (PID: 1336)

    • Process checks computer location settings

      • 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe (PID: 512)

    • Checks proxy server information

      • misid.exe (PID: 1336)
      • slui.exe (PID: 1100)

    • UPX packer has been detected

      • misid.exe (PID: 1336)

    • Reads the software policy settings

      • slui.exe (PID: 1100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:02 12:54:25+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 12288
InitializedDataSize: 12288
UninitializedDataSize: 32768
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.1.7
ProductVersionNumber: 2.0.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0x5)
ObjectFileType: Unknown
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe #CRYPTOLOCKER misid.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\Desktop\2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe" C:\Users\admin\Desktop\2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
1100C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1336"C:\Users\admin\AppData\Local\Temp\misid.exe" C:\Users\admin\AppData\Local\Temp\misid.exe
2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\misid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
4 194
Read events
4 194
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5122025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exeC:\Users\admin\AppData\Local\Temp\misid.exeexecutable
MD5:B821B24DB136D4E6F9B6F8813D9F2C77
SHA256:0EC7858434B07C89492B9DDF007C4029AEB4F53A8CAF6B57D902C2E91CD67D22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
51
DNS requests
78
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5528
RUXIMICS.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5528
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5528
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5528
RUXIMICS.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.21
  • 23.216.77.6
  • 23.216.77.13
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.32
  • 23.216.77.30
  • 23.216.77.18
  • 23.216.77.14
  • 23.216.77.10
  • 23.216.77.9
  • 23.216.77.29
  • 23.216.77.23
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 104.79.89.142
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.65
  • 20.190.160.130
  • 20.190.160.66
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.128
  • 20.190.160.67
whitelisted
bestccc.com
malicious
client.wns.windows.com
  • 172.183.7.193
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 20.42.65.90
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-05_f52f2cab6885f2d3ca61b628b7265ff8_cryptolocker_elex.exe