File name:

SumatraPDF-3.1.2-installXP.exe

Full analysis: https://app.any.run/tasks/bff5496a-a698-407c-9018-d9244d239c72
Verdict: Malicious activity
Analysis date: July 28, 2024, 13:24:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B2E5034C3323826689A8F9CE689240A2

SHA1:

B750EEC0F91A5CF2E43259C935C5473C82D27D72

SHA256:

81A27D50ABE66F52EC4F1A948827B0654EF86BE9F5F1DA1B16BBFC1454E040C9

SSDEEP:

98304:JXwpmJIfB7EUdkeUxNAH5kkOlxUbIn/A/b1MYgjkwfuBI+Rj3dVKHxz0Jz6BoKBP:clbkf7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 4544)

    • Searches for installed software

      • SumatraPDF.exe (PID: 1516)

    • Reads security settings of Internet Explorer

      • SumatraPDF.exe (PID: 1516)

    • Creates a software uninstall entry

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)

  • INFO

    • Checks supported languages

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)
      • SumatraPDF.exe (PID: 1516)

    • Reads the computer name

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)
      • SumatraPDF.exe (PID: 1516)

    • Checks proxy server information

      • slui.exe (PID: 5532)
      • slui.exe (PID: 4912)

    • Reads CPU info

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)
      • SumatraPDF.exe (PID: 1516)

    • Reads the software policy settings

      • slui.exe (PID: 5532)
      • slui.exe (PID: 4912)

    • Creates files in the program directory

      • SumatraPDF-3.1.2-installXP.exe (PID: 6616)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5312)

    • Creates files or folders in the user directory

      • SumatraPDF.exe (PID: 1516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 03:38:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 135168
InitializedDataSize: 4714496
UninitializedDataSize: -
EntryPoint: 0x10ac0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.1.2.0
ProductVersionNumber: 3.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: SumatraPDF Installer
FileVersion: 3.1.2
LegalCopyright: Copyright 2006-2016 all authors (GPLv3)
OriginalFileName: SumatraPDF-installer.exe
ProductName: SumatraPDF Installer
ProductVersion: 3.1.2
CompanyName: Krzysztof Kowalczyk
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sumatrapdf-3.1.2-installxp.exe slui.exe explorer.exe no specs explorer.exe no specs sumatrapdf.exe no specs slui.exe sumatrapdf-3.1.2-installxp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1516"C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" C:\Program Files (x86)\SumatraPDF\SumatraPDF.exeexplorer.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
MEDIUM
Description:
SumatraPDF
Version:
3.1.2
Modules
Images
c:\program files (x86)\sumatrapdf\sumatrapdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4544"C:\WINDOWS\explorer.exe" "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe"C:\Windows\explorer.exeSumatraPDF-3.1.2-installXP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
4912C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5312C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
5532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6056"C:\Users\admin\Desktop\SumatraPDF-3.1.2-installXP.exe" C:\Users\admin\Desktop\SumatraPDF-3.1.2-installXP.exeexplorer.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
MEDIUM
Description:
SumatraPDF Installer
Exit code:
3221226540
Version:
3.1.2
Modules
Images
c:\users\admin\desktop\sumatrapdf-3.1.2-installxp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6616"C:\Users\admin\Desktop\SumatraPDF-3.1.2-installXP.exe" C:\Users\admin\Desktop\SumatraPDF-3.1.2-installXP.exe
explorer.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
HIGH
Description:
SumatraPDF Installer
Exit code:
0
Version:
3.1.2
Modules
Images
c:\users\admin\desktop\sumatrapdf-3.1.2-installxp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
16 434
Read events
16 366
Write events
68
Delete events
0

Modification events

(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:DisplayName
Value:
SumatraPDF
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:DisplayVersion
Value:
3.1.2
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:EstimatedSize
Value:
11167
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:InstallDate
Value:
20240728
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\SumatraPDF
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:NoModify
Value:
1
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:NoRepair
Value:
1
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:Publisher
Value:
Krzysztof Kowalczyk
(PID) Process:(6616) SumatraPDF-3.1.2-installXP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\SumatraPDF\uninstall.exe"
Executable files
5
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\libmupdf.dllexecutable
MD5:028E33A2A09B0158BE50BBE090AAB3D1
SHA256:3A0665970B082EDFF0F7020E191531E2B68C1A2382EC103286BED78C733CB3D6
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\PdfFilter.dllexecutable
MD5:A5385EE69B810D7380AD3559F30EB4DC
SHA256:A31F96FB4A9A692393B623D81B23C0ADFDBFA9B254E58B9D27455A038148440C
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\SumatraPDF.exeexecutable
MD5:AC5E2C8596636464801C4BBB207346F3
SHA256:646BC2BF947235D70A8CCE413E1A86091CAFA60305671F7E8432B72AB624A2A2
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\PdfPreview.dllexecutable
MD5:6DD4A9ECFDE0FC0494FAD0DBCFF5EE2A
SHA256:BF692FE8F4E4C40AF5C685E6C6BB806111078BB63EB69425BDCBC2BA7A55FB29
1516SumatraPDF.exeC:\Users\admin\AppData\Roaming\SumatraPDF\SumatraPDF-settings.txttext
MD5:B8D380319B1762D47A241FDF186600A2
SHA256:6C64C50E67DDF5AB22BFD60C056687CB94E5190D61D638BCF66F5024EBB5030E
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\DroidSansFallback.ttfbinary
MD5:D97171CB16F2F25583B51BAF5E8936AA
SHA256:8FE329BFCAB968760BE992F1550428821C5B3AC4B246BD60DD8C1F9B7E26E2A0
6616SumatraPDF-3.1.2-installXP.exeC:\Program Files (x86)\SumatraPDF\uninstall.exeexecutable
MD5:4CC75CFB88E321D3560BBF7F39DFC99C
SHA256:238CB2105910F48DED12A74F79C8224EBF70E48C9812216486F3C10D09129731
6616SumatraPDF-3.1.2-installXP.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\SumatraPDF.lnklnk
MD5:7764032650F85880748D611A2420A437
SHA256:8BEEF02EDC8125D8ABBC349AC0CD7F3E48082190F82D0A4A893A92E1FFCEB1A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d
unknown
image
43 b
POST
204
104.126.37.160:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
200
20.189.173.3:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6220
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
unknown
5284
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
456
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
1044
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.144
  • 104.126.37.137
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.153
  • 104.126.37.146
  • 104.126.37.139
  • 104.126.37.161
  • 104.126.37.136
whitelisted
google.com
  • 142.250.184.206
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
self.events.data.microsoft.com
  • 20.189.173.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SumatraPDF-3.1.2-installXP.exe