| File name: | e.exe |
| Full analysis: | https://app.any.run/tasks/3efec42c-4e96-4db3-8efe-081abb734513 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | June 21, 2025, 10:12:15 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | 3276CCCB308575D8E66E4C84863C6B63 |
| SHA1: | 3A2AB67A4B23C7FD179E23B8A177601FF5971930 |
| SHA256: | 7FAE8B6AED5FE17724D2901AF873E6FA91D659645E7F1F546038E828F5223796 |
| SSDEEP: | 768:dWzO0yoEJ2ueBTjdSA4ABn8etEzlRxXkhkqLtEOV9gHix:BBoEJ2ueBTxSA4AV8ew1Kk6txx |
MALICIOUS
BABUK mutex has been found
- e.exe (PID: 3780)
- d.exe (PID: 3640)
Renames files like ransomware
- e.exe (PID: 3780)
Deletes shadow copies
- cmd.exe (PID: 1520)
- cmd.exe (PID: 6160)
RANSOMWARE has been detected
- e.exe (PID: 3780)
SUSPICIOUS
Reads security settings of Internet Explorer
- e.exe (PID: 3780)
Reads the date of Windows installation
- e.exe (PID: 3780)
Starts CMD.EXE for commands execution
- e.exe (PID: 3780)
Creates file in the systems drive root
- e.exe (PID: 3780)
INFO
Process checks computer location settings
- e.exe (PID: 3780)
Reads the computer name
- e.exe (PID: 3780)
- d.exe (PID: 3640)
Checks supported languages
- e.exe (PID: 3780)
- d.exe (PID: 3640)
Reads the machine GUID from the registry
- e.exe (PID: 3780)
Creates files or folders in the user directory
- e.exe (PID: 3780)
Manual execution by a user
- d.exe (PID: 3640)
- WINWORD.EXE (PID: 5564)
- mspaint.exe (PID: 3668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:06:21 09:35:48+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 55296 |
| InitializedDataSize: | 7680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9700 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
153
Monitored processes
14
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | e.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1520 | "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet | C:\Windows\System32\cmd.exe | — | e.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2044 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "4BBF3B1D-720C-408F-A3ED-86CADB425DA8" "49161862-1D92-44B7-AB4F-65DE2790C61A" "5564" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
| 3640 | "C:\Users\admin\Desktop\d.exe" | C:\Users\admin\Desktop\d.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 3668 | "C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\insuranceprocedures.jpg" | C:\Windows\System32\mspaint.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Paint Exit code: 0 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3780 | "C:\Users\admin\Desktop\e.exe" | C:\Users\admin\Desktop\e.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3800 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4760 | vssadmin.exe delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4916 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5564 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\ashowever.rtf" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
Total events
8 833
Read events
8 536
Write events
272
Delete events
25
Modification events
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5564 |
| Operation: | write | Name: | 0 |
Value: 0B0E10F00D80E634DA554289D9B485CC5FF83F230046C9AEC099D0D2F8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC2BD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
| (PID) Process: | (5564) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ru-ru |
Value: 2 | |||
Executable files
1
Suspicious files
86
Text files
104
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3780 | e.exe | C:\Users\admin\.ms-ad\How To Restore Your Files.txt | text | |
MD5:2AF817219BB1D24A11AB839B9453B5F3 | SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0 | |||
| 3780 | e.exe | C:\Users\admin\How To Restore Your Files.txt | text | |
MD5:2AF817219BB1D24A11AB839B9453B5F3 | SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0 | |||
| 3780 | e.exe | C:\Users\admin\Contacts\How To Restore Your Files.txt | text | |
MD5:2AF817219BB1D24A11AB839B9453B5F3 | SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0 | |||
| 3780 | e.exe | C:\Users\admin\Desktop\jerseymanufacturer.png.babyk | image | |
MD5:36E82D5D647E5E0D205989027A97D79C | SHA256:D96AA8EFF6DDBAC5EC1D7A4CCED1D455146ACDF6C2A9C50F326B6B7AEB49CD85 | |||
| 3780 | e.exe | C:\Users\admin\Documents\eurplayers.rtf.babyk | text | |
MD5:4E9FAFC8AB9CA3AF39C691B7C0826A69 | SHA256:E9B8AFF126D6F14CF0A6BB42E42DD2B3D51B00D2C47F7458D8D877D0C274B51A | |||
| 3780 | e.exe | C:\Users\admin\Documents\perpublished.rtf.babyk | text | |
MD5:D47B6D7847A7D2E03A7910E3BB8A9825 | SHA256:9B0E6D5C406D44B8076C4FF721226284DF0F664D0A2485AAE4367DFEC328F5C4 | |||
| 3780 | e.exe | C:\Users\admin\Desktop\usersanal.rtf.babyk | text | |
MD5:EC435D0CD3902A1A76BE78E2B4180DAB | SHA256:8DBD611A4FF9929081E3AE0878EEA9AB3702D889554FD3505B06B1DD915FEAE5 | |||
| 3780 | e.exe | C:\Users\admin\Desktop\againstmedia.jpg.babyk | image | |
MD5:219F71D62B73AB1211DFBF99B6B8DE63 | SHA256:4D6D8386779E1863CE0B6763CC5123910968D0C538982255F3D265C5E71259F3 | |||
| 3780 | e.exe | C:\Users\admin\Desktop\eventgets.jpg.babyk | image | |
MD5:76B045880FE3A0CEF05676ADB01DB4BB | SHA256:39EEE9DEA993BBB4E3A02B81F9187FF86FA5E9420F4FF6972C95C3D66E7E6F57 | |||
| 3780 | e.exe | C:\Users\admin\Pictures\How To Restore Your Files.txt | text | |
MD5:2AF817219BB1D24A11AB839B9453B5F3 | SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
21
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2668 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3112 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
3112 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5564 | WINWORD.EXE | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4156 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5564 | WINWORD.EXE | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
5564 | WINWORD.EXE | 52.123.129.14:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
fs.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|