File name:

file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat

Full analysis: https://app.any.run/tasks/28ed126e-696c-46e1-b762-8f85b88ad53b
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 05:46:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
lockbit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

0ABE38B4CD645C6BEE657D3BAF1CB151

SHA1:

9043818BEC8AA7E3F9519D3BB240CAABA3A70035

SHA256:

A4C4BFFE19D5544E7C9A285F913E1E8231AA50562988CE97DF62170E12FC2A5B

SSDEEP:

24576:uG4ZKt7mq6i6KZoYxOIqOMNbPctc2EVQ7mRBobTQJtU:uG4ZKt7mq6i6KZoYxOIqOMNbPctc2EVe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Deletes shadow copies

      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 5548)
      • cmd.exe (PID: 7268)
      • cmd.exe (PID: 7396)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 7896)

    • RANSOMWARE has been detected

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 7992)
      • cmd.exe (PID: 8076)
      • cmd.exe (PID: 3608)

    • [YARA] LockBit is detected

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)
      • ShellExperienceHost.exe (PID: 3788)

    • Starts CMD.EXE for commands execution

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3672)
      • wbengine.exe (PID: 7804)
      • vds.exe (PID: 7760)

    • Write to the desktop.ini file (may be used to cloak folders)

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Uses WEVTUTIL.EXE to cleanup log

      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 7808)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 7448)
      • cmd.exe (PID: 7284)

    • Uses WMIC.EXE to obtain shadow copy information

      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 7376)

    • Connects to unusual port

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

  • INFO

    • Reads the computer name

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 4692)
      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)
      • ShellExperienceHost.exe (PID: 3788)

    • Checks supported languages

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 4692)
      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)
      • ShellExperienceHost.exe (PID: 3788)

    • The sample compiled with english language support

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 4692)

    • Create files in a temporary directory

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 4692)
      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Reads the machine GUID from the registry

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 4692)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 2128)
      • WMIC.exe (PID: 7412)
      • WMIC.exe (PID: 7592)
      • WMIC.exe (PID: 5084)

    • Process checks computer location settings

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Launching a file from a Registry key

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)

    • Creates files in the program directory

      • file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe (PID: 1480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1991:09:26 04:30:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 524800
InitializedDataSize: 278528
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.1.2.0
ProductVersionNumber: 3.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: SumatraPDF
FileVersion: 3.1.2
LegalCopyright: Copyright 2006-2016 all authors (GPLv3)
OriginalFileName: SumatraPDF.exe
ProductName: SumatraPDF
ProductVersion: 3.1.2
CompanyName: Krzysztof Kowalczyk
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
73
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file.0xa60dfe563a30.0xa60dfe989b90.datasectionobject.sumudrapdf.exe.dat.exe no specs conhost.exe no specs CMSTPLUA no specs Color Management no specs THREAT file.0xa60dfe563a30.0xa60dfe989b90.datasectionobject.sumudrapdf.exe.dat.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs shellexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe wmic.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wbadmin.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe wbengine.exe no specs vdsldr.exe no specs vds.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exefile.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132/c vssadmin Delete Shadows /All /QuietC:\Windows\System32\cmd.exefile.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1336vssadmin Delete Shadows /All /QuietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
1356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exefile.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480"C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe" C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
dllhost.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
HIGH
Description:
SumatraPDF
Version:
3.1.2
Modules
Images
c:\users\admin\appdata\local\temp\file.0xa60dfe563a30.0xa60dfe989b90.datasectionobject.sumudrapdf.exe.dat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1828vssadmin delete shadows /all /quiet C:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
1936C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
2120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2120/c wevtutil cl securityC:\Windows\System32\cmd.exefile.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
5 540
Read events
5 422
Write events
64
Delete events
54

Modification events

(PID) Process:(1936) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:writeName:DisplayCalibrator
Value:
C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XO1XADpO01
Value:
"C:\Users\admin\AppData\Local\Temp\file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe"
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\LockBit
Operation:writeName:full
Value:
984A8F2CCA373DFA0FE28A247D626E906A8CAEE97E8D3673938D351BCA13167CE412E9EC34F51457AC724FF622919D3F85BDAAD089D18B4AD8C308F663357A7A24131D35EC1DAF4954370D6451559BD3258CDE9DA91D90C4C1FBC5DC31C4259CD48608D2856236DF80B983543C50C62602B58CCE43FF7CF01C1031EB4552AB677130ED0004BB829E0195523D084303B1732F6F96FDBEA82150AC997D6F30E03C41022EC0AEC305EDAB8649F1A5DC328342CEEE096F7848F7133D0C5BA02AD329B6AE260291362C07147200F8BCF29A907A9CB3BEF73CBE14064AB8E7FB05E7533BEC2E3BD11FABECFAD2D0DD3BAF9E2313744F77C820F3AA310614E6A43C9E4F9290CA2F9B396B7804D6B41B39BAAF4E8E6F8E456149CC3CA657611B9BC59DECD817C35FC38B203DCE3D768E4AB153FCD7F2B5C48A6185E84003EE00DCE63B3097660B1589644B914E812CFC029B173E5B150AF4AECBA79AD252449EEB985A37D045BEF38F424913EC6B5F2EC475D6C927B3999FD05D469917C5D36C2235F65A536773E6388421F8EBA0696E63B911BFC6DE34A6848BD477F219FE0BCE65AF90C1CD6424B5BC4C7E2515B09CF6BCF4D4830A8F4FC28E8ACC1055F6424D448B9C466FF4B2D5D5D4AD1B6C3F0B1E834E757BA503648908DC58D52ED6BA3C56A8CE578D283B14B8C50E1B592CCEA08F3849BED0FA2D2BB87EDBF8B3C66074800B570175751577C9AD25BA252DFEE70DF82A3CCF25CBEC0216FAE84D42B08EE7431276414F127115290EE6E5C421CD599739393D2FF64B9E777DAD43924C5937A7A832B33CCCDE01E1B438ADA98153AE60EDE87C3EEE866AE88504912B79AB76DFABA1050FD798C48864125B12A73831768A4347A5FC1DC5D81A565DF6C6241A1DC154DE8750539753BDF1E7ECA0573E6DBC9AB7E39F91C3963E8BB129179B0C8499701E85A6D58C3B04FA76228FD5A55F7A4D28A8B7D113951D25CCDF469C315D85270F982CA5C1D12805867C99DA37FCBE1EC5210E07C3BB14F33A2AEC6DB3E65D13034E019CE0CAB6EA64A4270588C99D5C3CF921F58B4F7785AFD4F4A94D61B56E0062614CF6976D2E0B859C55326156D70FED8A46B35FBF28B6FF2A18410AC6D3A2BFDAA1866051E08160D613C31FFE6A3CB3D4D6887181E6F3D0DF18BC278BF9370BAA8DAC21E6A6C4516E9A2087B4C98C697F3D93C27BA8F410FB87643A1C45CEAFEB0DB7D37DFFB450BB811FAE73E138B1342A0CBCB53C245045FED994484EF5DA1C2AB8851C9B0EFE0371A0217DD371E6E512863D8841732873FDDB8123A158615DC7BE85358D7281A94EC821EDB0DEFA30755D82EE945620F242B03DB1B19FAB2E4389AA4EC80D150A15FF5AEC02DA6D64EA7D9D3EF393BCE9606167CE14E3730C56BEAA108A69CE44EB3BFC833ADE12F5DA3FD5E43B1D57017AF20C4E3C85F1984E3395C3AD7A2B3BD53B0580CD249F93730D40A5D8D82F4C81C7D8E658687E0F1708FEC9B53823DF67FE36040188D214E749E11B8901862760A3CC6B436B0482660AC98C73F9AE1E7FE4C651029CCC181D924603B0BF1E827C87A516B419156CB5E4764FF539E214D7988883EB695026B49F8A6B69436B812DAAF9CC721EBE896267D9CCE7CF22F9883F4590CAE0E3B1B5173326DCA45A422C07847E5DD708E625B6B218BA9621E999CF268D02DDDB5D6099531A056DDBB97826F0F4C9330ABFAD7AA65901410A0BFB4A99B8BAB1E87E2AC41C3422963743C6CF2080828DEB6C64D271A6B1503512F5215397F0D90DF851F581EFA757F663937A0401
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\LockBit
Operation:writeName:Public
Value:
A0591E7F91404105E0FDC54A3E62EC9AF53FD142D588D89B61F7CA7C018B49EBC281644FF24160FBC1052446EDC679EB2D11ACB1ADA690ECFEF60377AC70488F0A08F0FE19BAAD2075BEA2021FDE931ACA020FD24F158635AC2F41707B26BCF98AF0BA33E115E25E74786A42AAA3A057280A3BB4739CF459484487291167E8E128EF0CD7BD2C676081B3477AF3813B775EA67A7A75E8D746461CC56C5ACA9CDAC399CCEAE96241E9B11B6093737E775C0B0B334855B8B3BE250D2B56A8D0557F3917A65A4A94E4B147FD05D52B420EE46DAE2D257440F1A188F440DCE9882E582C526B1D549385C2B2BB11473CAB8B4865E3700EFAB87399C0681D2E53279221010001
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:MaxCapacity
Value:
49
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:MaxCapacity
Value:
83
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:NukeOnDelete
Value:
0
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:writeName:NukeOnDelete
Value:
0
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:MaxCapacity
Value:
51
(PID) Process:(1480) file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:writeName:NukeOnDelete
Value:
0
Executable files
26
Suspicious files
7 172
Text files
1 517
Unknown types
0

Dropped files

PID
Process
Filename
Type
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe\\?\Volume{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}\$RECYCLE.BIN\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.048.etl.lockbitbinary
MD5:46D7B5995639E21BA8CE7BAAF22357B7
SHA256:CFC02C4F11C270D6B4AB253A92E935DCF77FCF6542B5765F3177FEAC5A95A951
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\$WinREAgent\Restore-My-Files.txttext
MD5:00E7A527DF7F3A4C5C692A08DC4BA75E
SHA256:220C1A07258A985C7919ACA17169C2391268D0B73CA9431A0A16C23AFD5358CB
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\$WinREAgent\Backup\Restore-My-Files.txttext
MD5:00E7A527DF7F3A4C5C692A08DC4BA75E
SHA256:220C1A07258A985C7919ACA17169C2391268D0B73CA9431A0A16C23AFD5358CB
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.049.etl.lockbitbinary
MD5:5EB811CF706B49442F5FB08CD519E89D
SHA256:E862B0FC758B3E4C30C3856681D4747B7E5157F127DE22481A449D7815544371
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\Restore-My-Files.txttext
MD5:00E7A527DF7F3A4C5C692A08DC4BA75E
SHA256:220C1A07258A985C7919ACA17169C2391268D0B73CA9431A0A16C23AFD5358CB
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\Restore-My-Files.txttext
MD5:00E7A527DF7F3A4C5C692A08DC4BA75E
SHA256:220C1A07258A985C7919ACA17169C2391268D0B73CA9431A0A16C23AFD5358CB
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etl.lockbitbinary
MD5:9A1564FBBA34A4E91785F424986F1C7F
SHA256:143424FB25FFC62D27968F5ADB814C3203173A0A7B87A8FD0EC49A886A4F2E7F
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.016.etl.lockbitbinary
MD5:442ADB9B0F7069CCD4CF7D425E800AA1
SHA256:E5CCE549831CF31D34B024045473FCCAE0403DF0912CD292A95BE5DAB22BCC5E
1480file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.052.etl.lockbitbinary
MD5:76F8DD38E127BA5EFF4CB848C5F48DC6
SHA256:CA513600E513A9E1613F9116D8A8EB2DCAABAE993336E1DAD277142712A4DF5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
38
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4132
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7364
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7364
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4040
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4132
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4132
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.71
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file.0xa60dfe563a30.0xa60dfe989b90.DataSectionObject.SumudraPDF.exe.dat