File name:

5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe

Full analysis: https://app.any.run/tasks/1248a5c0-9011-4bd3-8086-2218cf707082
Verdict: Malicious activity
Threats:

Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 04:48:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
akira
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

433DEEDF1091C8EA24E0EBAABFB240FF

SHA1:

1E0401756BE980519DC9BFCD2EBF1BD12680D5FD

SHA256:

5DE1061457E759E022FBC9BB02E8726A49D3ED9663FC8A77D83462C69C96AEA8

SSDEEP:

24576:i4/HJQfGMrq1nkF2az/SWIGd0pS4ZvS7H6v:i4JQfTr2nkF2az/jIGd0pS4ZvS7H6v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • AKIRA has been detected

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • Modifies files in the Chrome extension folder

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • AKIRA has been detected (YARA)

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • Executed via WMI

      • powershell.exe (PID: 7564)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

  • INFO

    • Checks supported languages

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7564)

    • Reads the computer name

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)

    • Creates files or folders in the user directory

      • 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe (PID: 7444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:19 17:53:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 837632
InitializedDataSize: 251392
UninitializedDataSize: -
EntryPoint: 0x8dd38
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7444"C:\Users\admin\Desktop\5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe" C:\Users\admin\Desktop\5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
7564powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8060C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 085
Read events
8 056
Write events
23
Delete events
6

Modification events

(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
141D0000B5C2A8F2C1B8DB01
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
D7DA6DC0A44BBCEA6A5F7D595CD2780400E361E1EE67DDB89438636171CE3CAA
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\ConnectedDevicesPlatform\L.admin\ActivitiesCache.db-shm
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
BCC5CB96E8A4BDCF5536E974135EC99DBBAECEE77C755E8991FFD5109811BC04
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:Owner
Value:
141D0000B5C2A8F2C1B8DB01
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:SessionHash
Value:
0A19623D31C19023B6B3CA4FABB78FA6C7475C6EE4D0A38F62B8DD50EC6D9D37
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:Sequence
Value:
1
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\ConnectedDevicesPlatform\L.admin\ActivitiesCache.db-wal
(PID) Process:(7444) 5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:RegFilesHash
Value:
755DB5CA432ED6DA00C4BC84148ABCA9989CB070ED45A8B46E65BC08E70138E1
Executable files
19
Suspicious files
4 388
Text files
1 135
Unknown types
0

Dropped files

PID
Process
Filename
Type
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\AppData\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\AppData\Local\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\3D Objects\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\.ms-ad\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
7564powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dt0im545.5co.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\bootTel.datbinary
MD5:1CAF3E2A3CC57A2D02376DC24CFB5F9E
SHA256:1EB81C69418B9956AB10D626403A25B5E663CC5DC5345A3D2AB0A4344E8137A7
74445de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\akira_readme.txttext
MD5:6482B5984CC2F0012B452E6BA5D92635
SHA256:4E0E4FB4266250EBF7F646C6EEFF934491E25D2722CAA1D6FE099D3E50913A57
7564powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:490B27F91424AF670316325DB4191CCB
SHA256:36125EF392178BC95335010D8789ECE4C6FF15A3DF5ED88858A098929A5F93E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
50
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7908
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7908
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7908
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7908
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7908
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7908
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7908
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7908
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.67
  • 40.126.31.128
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.250.185.174
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5de1061457e759e022fbc9bb02e8726a49d3ed9663fc8a77d83462c69c96aea8.exe