File name:

file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img

Full analysis: https://app.any.run/tasks/d04ecd50-2e9a-4cf6-bfab-fb3f18edb5e4
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 04:10:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
lockbit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5BFD945D001B3D21E886331BB6097644

SHA1:

36AD5E0DD33A41DA33EA9F5EE0351860574B0B01

SHA256:

014154A9A112138A287B8EF94F952423D9F7F0734F654BFD07D943A57AAEB66A

SSDEEP:

24576:BG4ZKt7mq6i6KZoYxOIqOMNbPctc2EVQ7mRBobTQJtU:BG4ZKt7mq6i6KZoYxOIqOMNbPctc2EVe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Deletes shadow copies

      • cmd.exe (PID: 1216)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 7920)
      • cmd.exe (PID: 7440)
      • cmd.exe (PID: 7308)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 7268)
      • cmd.exe (PID: 7204)
      • cmd.exe (PID: 1216)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 7260)

    • RANSOMWARE has been detected

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • [YARA] LockBit is detected

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)
      • ShellExperienceHost.exe (PID: 2180)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1612)
      • wbengine.exe (PID: 8136)
      • vds.exe (PID: 7360)

    • Write to the desktop.ini file (may be used to cloak folders)

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Starts CMD.EXE for commands execution

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Uses WMIC.EXE to obtain shadow copy information

      • cmd.exe (PID: 7548)
      • cmd.exe (PID: 7620)

    • Uses WEVTUTIL.EXE to cleanup log

      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 7732)
      • cmd.exe (PID: 7828)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 7788)

    • Connects to unusual port

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

  • INFO

    • Create files in a temporary directory

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 4788)
      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Checks supported languages

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 4788)
      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)
      • ShellExperienceHost.exe (PID: 2180)

    • The sample compiled with english language support

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 4788)

    • Reads the computer name

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 4788)
      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)
      • ShellExperienceHost.exe (PID: 2180)

    • Reads the machine GUID from the registry

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 4788)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 4372)
      • WMIC.exe (PID: 7416)
      • WMIC.exe (PID: 7596)
      • WMIC.exe (PID: 7728)

    • Launching a file from a Registry key

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Process checks computer location settings

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)

    • Creates files in the program directory

      • file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1991:09:26 04:30:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 524800
InitializedDataSize: 278528
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.1.2.0
ProductVersionNumber: 3.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: SumatraPDF
FileVersion: 3.1.2
LegalCopyright: Copyright 2006-2016 all authors (GPLv3)
OriginalFileName: SumatraPDF.exe
ProductName: SumatraPDF
ProductVersion: 3.1.2
CompanyName: Krzysztof Kowalczyk
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
73
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file.0xa60dfe563a30.0xa60dfac42a20.imagesectionobject.sumudrapdf.exe.img.exe no specs conhost.exe no specs CMSTPLUA no specs Color Management no specs THREAT file.0xa60dfe563a30.0xa60dfac42a20.imagesectionobject.sumudrapdf.exe.img.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs shellexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wbengine.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs vdsldr.exe no specs bcdedit.exe no specs vds.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
1216"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\System32\cmd.exefile.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1612C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1688C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1760C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2180"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
2220vssadmin delete shadows /all /quiet C:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
3148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exefile.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3688"C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe" C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe
dllhost.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
HIGH
Description:
SumatraPDF
Version:
3.1.2
Modules
Images
c:\users\admin\appdata\local\temp\file.0xa60dfe563a30.0xa60dfac42a20.imagesectionobject.sumudrapdf.exe.img.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4372C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
Total events
5 583
Read events
5 463
Write events
66
Delete events
54

Modification events

(PID) Process:(1688) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:writeName:DisplayCalibrator
Value:
C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XO1XADpO01
Value:
"C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe"
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\LockBit
Operation:writeName:full
Value:
78740C7640053524967FB52E1A23D6EAE5659A4472B6FB3B97CE7B969CE6AF1B031234B168F10E8FF418A32B3AE1CCC3CE05D71842508765719E7139E13AA95CF10209D95CB846774C985CAD6239953A9F097DDDA9984F3DC325292A2924CC38F41E70C1D3E7386BDE5BECDE86269720F39E2ADE0DC5298143B37DE8C36E60BCF895DBA29859F3D713607C9FE806523FE22A997BC817FFF477D89676C1E056EEC87C96F538E5FDFB36D09F3BC9AC16C05907B988A2EC937D4051AEABED82023CFC8E6008B8A017B040BE336CB0FF7C8583B4C149A5DD3E65D8769E3F7B320DAEE4664D1E11AE641A72E41B6F01E242D5F42DF6056DF508356BE81FFCC27CF5D0333441717C454B2E95F33B9FDF1ABE0319CE92A1D10BC316A14B6AE11049F053D685BE5416E25BA531C404275914E4C499EA4F1E2CE8AE7D5C45E5A1E8A8BC38478FC73981C58869F1A4432D260527A6DF6EC0BCB81001FBDEF8AA38A99C0E461071FF0F7A4C46735235D46D233135E2C0070AFA306A62DA4A11AC8A5C857973D6D6F3FD18F1F0849742AF01B70A83147E5C15D1B7227D19DEF2482870A9184E94C2BAFAD1ACBEDBF557C8EBA0DDAD9A4B5A100FA3730AF7F8D65DF39344E5276BC571A2EBCE70698F34F28ECF9E6BCEFA95BC0A2BCDCF80922BBEA2808B23569FB9C0C784797C85CAC0583BC4612259B16CE2BE5D05E340FF7C72962D4360BD4D47707A98DD20162A75057EDEC507017EC37A27924BF2614E88218B696DB9E76228E180DDC8D2161A9EE99111B226DBBCA965DAA3661FFA9ED55739C291C08800F2EF37B41C714171B0D8E364D9484AC71F39675F087B92F2A43294D8FE2E651864C499565C16534B25C0B1E2660D938BC4501C82C1F99A1C22510F4D8C33A510B6EBAB3F08E4A65B46E86641C3B424383DBF4BCB8E4D526CBE28FFC39C2A7AA157C62EE9B865F1275537AFBFBF7667C004910857EB7F1B0E7976D75E4889904DC808809FCACAF0F0C574A22279F0D8DE841409C790EE5712FC7D5B5F0472BCF9FC9E2507DA24A6A828C5074C9221A83DDB13C65B5A339A01319C66C7DDE97F3BBF78EB06E7962A40F5F94E31329423B5969F02D28227D936FDE74DF05AEBD36AF9FDCFE5A83AD48E2696ECCA21EDF75E1DCD6FF628E96A5389AD4E728CE544E7384E6273606A5FB5F94D52B7C9583E1A1DE2F5EBEA0C91FFFF487AE040158653521F248FE559970633CD9160E7F900D5F1A356BC39D0701EE91E26AD1879ED7C2B3CA8DF014599F5A96BDBA61C22AFCC7B008DB1FC4BC1F513E131D63B57C99382C84A5EB43FCCA31DB19726EF9C6A2C237959CE793EEFE388430F70ED2369EF059491F67A79D3C697F0BC70BAE26E7020233526FEC67D15C87EB0E9F26C9F0264A2A3340D094DFC7140AD94E26636CCBD4745C75EC36483B5CB86131B0C81457C8BA226BB26C5F3A3B2C1C7AF5FB56D9603D0BC211D6F1AE06DB03F352C943A44B0979CBF4606AC2AA9AB686284DB18EE050AA5909EA62D93207B11CF9B3DEB0AB4F82E76E48D527F4DD71C75A450415D3A8C89E99BA42DC9B1DC63F6501C1BCF6F4F665063914B2674BCD83088C9C381638EB645FD6638D36E7168DD70E080A530977479724611A9D06B9865610C944EB7DD41840529149D884F5E7BA36302093B7F69A563370F0EBEE195EB8B29F7D5F9442BB8684D079F8A95ED5C929B6C2D8D43D8603612FADA12A25502AC610990E6C58ECDC2F5356D5751B59099AA04C1CF8FD471A765E3463BC93B2834C37B3465B946D2176EAFDFD317B10F50B5
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\LockBit
Operation:writeName:Public
Value:
C9A2FABC780824B99A7CA80535DE7C4DD45B18E64EDA62E14948F692AF8D43D44303361D5198E32345E2D5523B1377E434B5E44547BA989DB696BCDF4107EC10849BF07CCC70DA241F8AE37C90C2D8244D90B5267E1C094105820A796CC1D7B7CAA97A77FA355795354D0A8BA166B43A1CEEFDF1E60F8469FE1492593B6A72665B2F62B6268385063417306D2D4BEDBD3D2E6AA6956971816C4263D2BCCA9ECCCFBB6E79E1C4697D4B69CDFEEE27C9566BE509273B27D25FA084A6B9172592D7B3FF88AF9F8D3610B75DD6F5E26E8DF746B0CEEDA1126E84FC239BE5B7C2E281F7CE67F124D9F9EAC20AD7AC2B2F486F5DD093E11339C93111220C1EC615F255010001
(PID) Process:(2180) ShellExperienceHost.exeKey:\REGISTRY\A\{0bcf0e77-d933-a6e2-c9ba-899ca8ee8d4c}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000092AABF62BEEDB01
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:MaxCapacity
Value:
51
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:NukeOnDelete
Value:
0
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:MaxCapacity
Value:
49
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:NukeOnDelete
Value:
0
(PID) Process:(3688) file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:MaxCapacity
Value:
83
Executable files
19
Suspicious files
3 830
Text files
1 402
Unknown types
0

Dropped files

PID
Process
Filename
Type
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe\\?\Volume{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}\$RECYCLE.BIN\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\$RECYCLE.BIN\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\$WinREAgent\Rollback.xml.lockbitbinary
MD5:41375DB4A467E96AE5118296E974AC70
SHA256:8FA6484F05776C429A53CACC040AA351B17E113ED4F06BFC14937375C3D638C8
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\found.000\dir0001.chk\WmiApRpl.h.lockbitbinary
MD5:38DE58045D1D1AF57E0A419D1F55C5CE
SHA256:1FF14144148F771D15A2C6AD44B9873C62895811A0798E699920F39D8B87CC39
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\found.000\Restore-My-Files.txttext
MD5:AF58FD1B97500EF399BB4300EC4BC1F7
SHA256:FEE34614F0465A1E8F64541257F9015A8827ADCBCF3AA40D94B42B3C3D36EBEB
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\$WinREAgent\Restore-My-Files.txttext
MD5:AF58FD1B97500EF399BB4300EC4BC1F7
SHA256:FEE34614F0465A1E8F64541257F9015A8827ADCBCF3AA40D94B42B3C3D36EBEB
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\Restore-My-Files.txttext
MD5:AF58FD1B97500EF399BB4300EC4BC1F7
SHA256:FEE34614F0465A1E8F64541257F9015A8827ADCBCF3AA40D94B42B3C3D36EBEB
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etl.lockbitbinary
MD5:897C6D43C031CCC0F3A40C292C9EE4C7
SHA256:26ABF13CA491433830865A358A40EA6108BCC7036820669AB5F1B181B2E529B2
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\$WinREAgent\Backup\Restore-My-Files.txttext
MD5:AF58FD1B97500EF399BB4300EC4BC1F7
SHA256:FEE34614F0465A1E8F64541257F9015A8827ADCBCF3AA40D94B42B3C3D36EBEB
3688file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img.exeC:\$WinREAgent\Backup\location.txt.lockbitbinary
MD5:8F0E431D6D66C84EC53A2E8B0B764FB0
SHA256:ECAAFF1478E79BB194C40FF0A25247558DC5BDCDD316B8B5587109AC0482B2CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
35
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6284
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7368
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7368
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6284
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6284
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.69
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.68
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file.0xa60dfe563a30.0xa60dfac42a20.ImageSectionObject.SumudraPDF.exe.img