File name:

e.exe

Full analysis: https://app.any.run/tasks/af4f9243-c571-4306-9c4b-76870b2d736b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 10:09:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
babuk
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

3276CCCB308575D8E66E4C84863C6B63

SHA1:

3A2AB67A4B23C7FD179E23B8A177601FF5971930

SHA256:

7FAE8B6AED5FE17724D2901AF873E6FA91D659645E7F1F546038E828F5223796

SSDEEP:

768:dWzO0yoEJ2ueBTjdSA4ABn8etEzlRxXkhkqLtEOV9gHix:BBoEJ2ueBTxSA4AV8ew1Kk6txx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BABUK mutex has been found

      • e.exe (PID: 3028)

    • Renames files like ransomware

      • e.exe (PID: 3028)

    • Deletes shadow copies

      • cmd.exe (PID: 4500)
      • cmd.exe (PID: 640)

    • RANSOMWARE has been detected

      • e.exe (PID: 3028)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • e.exe (PID: 3028)

    • Reads security settings of Internet Explorer

      • e.exe (PID: 3028)

    • Creates file in the systems drive root

      • e.exe (PID: 3028)

    • Starts CMD.EXE for commands execution

      • e.exe (PID: 3028)

  • INFO

    • Reads the machine GUID from the registry

      • e.exe (PID: 3028)

    • Process checks computer location settings

      • e.exe (PID: 3028)

    • Reads the computer name

      • e.exe (PID: 3028)

    • Creates files or folders in the user directory

      • e.exe (PID: 3028)

    • Checks supported languages

      • e.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 09:35:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 55296
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x9700
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BABUK e.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2460vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2708\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3028"C:\Users\admin\Desktop\e.exe" C:\Users\admin\Desktop\e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3388C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4500"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4984vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 108
Read events
1 108
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
49
Text files
100
Unknown types
0

Dropped files

PID
Process
Filename
Type
3028e.exeC:\Users\admin\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Music\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Documents\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Videos\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\.ms-ad\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\3D Objects\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Contacts\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Pictures\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
3028e.exeC:\Users\admin\Documents\Outlook Files\How To Restore Your Files.txttext
MD5:2AF817219BB1D24A11AB839B9453B5F3
SHA256:6A16454CAD4534D51025F65277ABAEC0FF4A30082840154A35889445BB3AD0A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5780
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5780
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
888
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2292
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2292
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5328
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5328
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.5
  • 20.190.160.67
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
crl.microsoft.com
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

No threats detected
No debug info