File name:

e.exe

Full analysis: https://app.any.run/tasks/390e38c1-dbeb-478e-af6e-0abf633ca27f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 09:47:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
babuk
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

3276CCCB308575D8E66E4C84863C6B63

SHA1:

3A2AB67A4B23C7FD179E23B8A177601FF5971930

SHA256:

7FAE8B6AED5FE17724D2901AF873E6FA91D659645E7F1F546038E828F5223796

SSDEEP:

768:dWzO0yoEJ2ueBTjdSA4ABn8etEzlRxXkhkqLtEOV9gHix:BBoEJ2ueBTxSA4AV8ew1Kk6txx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • e.exe (PID: 6004)

    • Deletes shadow copies

      • cmd.exe (PID: 5168)
      • cmd.exe (PID: 2132)

    • BABUK mutex has been found

      • e.exe (PID: 6004)

    • Renames files like ransomware

      • e.exe (PID: 6004)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • e.exe (PID: 6004)

    • Reads security settings of Internet Explorer

      • e.exe (PID: 6004)

    • Reads the date of Windows installation

      • e.exe (PID: 6004)

    • Starts CMD.EXE for commands execution

      • e.exe (PID: 6004)

  • INFO

    • Process checks computer location settings

      • e.exe (PID: 6004)

    • Checks supported languages

      • e.exe (PID: 6004)

    • Manual execution by a user

      • notepad.exe (PID: 6980)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6980)

    • Reads the machine GUID from the registry

      • e.exe (PID: 6004)

    • Reads the computer name

      • e.exe (PID: 6004)

    • Creates files or folders in the user directory

      • e.exe (PID: 6004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 09:35:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 55296
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x9700
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BABUK e.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs rundll32.exe no specs slui.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2132"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2228vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5168"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5780C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6004"C:\Users\admin\Desktop\e.exe" C:\Users\admin\Desktop\e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6688vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 305
Read events
1 305
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
51
Text files
101
Unknown types
0

Dropped files

PID
Process
Filename
Type
6004e.exeC:\Users\admin\Contacts\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\.ms-ad\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\Music\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\Desktop\cumpicture.jpg.babykimage
MD5:4C6EF4E7465E4762F9AF88263E6F02CF
SHA256:6767F1E6ACD7FCDE0AD9D36926943E42D138E43DC0010EF5A9A3A45B158B63BA
6004e.exeC:\Users\admin\Documents\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\Pictures\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\Documents\OneNote Notebooks\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
6004e.exeC:\Users\admin\Desktop\steppeople.rtf.babyktext
MD5:08F1B361847DB56C8101A71722D9C54C
SHA256:CB4723B066F9ED72C21183B847C996F660977D0AD60BB0487C7F8E01C6996BD4
6004e.exeC:\Users\admin\Documents\devoffice.rtf.babyktext
MD5:E64D858325F39E79DB53E475FF32CD11
SHA256:EE3A88750C9A2DB755A096760716AE64D11BE7A2808DFE250A50397BC891DAF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1200
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2468
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5328
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5328
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.131
  • 40.126.31.69
  • 20.190.159.129
  • 20.190.159.68
  • 40.126.31.1
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
No debug info