File name:

cryptor.exe

Full analysis: https://app.any.run/tasks/9804ed4b-f502-4f63-99a8-11df37c6a038
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 03:00:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
conti
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

0FC118D1C2A43F36B43C68DD704AED0C

SHA1:

59131AD7D2FE49EEE1ECBEEFB1952D07EEB61F98

SHA256:

EF8C832C0B160069D9EF8CFCBA2BDFCC2B7094A37A889BDEFBE264E35660376F

SSDEEP:

3072:kSMVnL8GXG4kbrQWnR8O6T8povNTuXNDGnyD9QjD2B31fPvF7WVuUKdCxOFY:kSMsrbFVpoodDGnyD9gOPhWVuUUe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CONTI mutex has been found

      • cryptor.exe (PID: 1324)

    • RANSOMWARE has been detected

      • cryptor.exe (PID: 1324)

    • CONTI has been detected

      • cryptor.exe (PID: 1324)
      • decryptor.exe (PID: 4968)

    • Renames files like ransomware

      • cryptor.exe (PID: 1324)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cryptor.exe (PID: 1324)

    • Write to the desktop.ini file (may be used to cloak folders)

      • cryptor.exe (PID: 1324)

    • Modifies hosts file to alter network resolution

      • cryptor.exe (PID: 1324)

  • INFO

    • Reads the machine GUID from the registry

      • cryptor.exe (PID: 1324)
      • decryptor.exe (PID: 4968)

    • Reads the computer name

      • cryptor.exe (PID: 1324)
      • decryptor.exe (PID: 4968)

    • Checks supported languages

      • cryptor.exe (PID: 1324)
      • decryptor.exe (PID: 4968)

    • Creates files in the program directory

      • cryptor.exe (PID: 1324)

    • Failed to create an executable file in Windows directory

      • cryptor.exe (PID: 1324)

    • Creates files or folders in the user directory

      • cryptor.exe (PID: 1324)

    • Manual execution by a user

      • decryptor.exe (PID: 4968)
      • mspaint.exe (PID: 3720)
      • WINWORD.EXE (PID: 5596)
      • mspaint.exe (PID: 2620)

    • Checks proxy server information

      • slui.exe (PID: 6384)

    • Reads the software policy settings

      • slui.exe (PID: 6384)

    • Create files in a temporary directory

      • cryptor.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:06 03:00:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 195072
InitializedDataSize: 66560
UninitializedDataSize: -
EntryPoint: 0x24038
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT cryptor.exe decryptor.exe conhost.exe no specs slui.exe winword.exe no specs mspaint.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\AppData\Local\Temp\cryptor.exe" C:\Users\admin\AppData\Local\Temp\cryptor.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\cryptor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2620"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\basisboards.jpg"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3720"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\rapevalues.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4968"C:\Users\admin\Desktop\decryptor.exe" C:\Users\admin\Desktop\decryptor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\decryptor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5596"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\thislooking.rtf" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
3221225775
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedecryptor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
2 457
Read events
2 457
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
869
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
1324cryptor.exeC:\ProgramData\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\Adobe\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\Comms\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\Microsoft OneDrive\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\Oracle\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\PLUG\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\ProgramData\USOShared\readme.txt
MD5:
SHA256:
1324cryptor.exeC:\Users\admin\readme.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
48
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2320
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2320
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1652
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6356
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1324
cryptor.exe
192.168.100.2:445
whitelisted
1324
cryptor.exe
192.168.100.1:445
unknown
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.155
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
th.bing.com
  • 104.126.37.153
  • 104.126.37.130
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.136
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.171
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.14
  • 20.190.160.3
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.132
  • 20.190.160.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cryptor.exe