| File name: | SumatraPDF-3.4.6-64-install.exe |
| Full analysis: | https://app.any.run/tasks/81058802-b6d5-415e-974c-06ec9858b4fa |
| Verdict: | Malicious activity |
| Analysis date: | July 28, 2024, 12:58:57 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 5825A6110ACCCED8F5580207C94E2805 |
| SHA1: | EC3E46A43E95E4D1F3380F3022EBCBBEF49D27AF |
| SHA256: | AA79391C7DB478FBB969875DA39CE09E3E8124B869ACC3178F5B6A3B4E10D5CE |
| SSDEEP: | 196608:gGWpkdKiynKtTuSyM1MeRk9BqHtLKpfX/TL1LKo+7SH94WSv8:6SDXtTrTRk9ButLKpP//1LKo+7SKvv8 |
MALICIOUS
Drops the executable file immediately after the start
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
SUSPICIOUS
Explorer used for Indirect Command Execution
- explorer.exe (PID: 1644)
Creates a software uninstall entry
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
Executable content was dropped or overwritten
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
Searches for installed software
- SumatraPDF.exe (PID: 2888)
Reads security settings of Internet Explorer
- SumatraPDF.exe (PID: 2888)
INFO
Reads CPU info
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
- SumatraPDF.exe (PID: 2888)
Creates files or folders in the user directory
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
- SumatraPDF.exe (PID: 2888)
Checks supported languages
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
- SumatraPDF.exe (PID: 2888)
Reads the computer name
- SumatraPDF-3.4.6-64-install.exe (PID: 996)
- SumatraPDF.exe (PID: 2888)
Checks proxy server information
- slui.exe (PID: 6676)
Reads security settings of Internet Explorer
- explorer.exe (PID: 2240)
Reads the software policy settings
- slui.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2022:06:08 21:27:39+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.32 |
| CodeSize: | 1186304 |
| InitializedDataSize: | 6302720 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xe98cc |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.4.6.0 |
| ProductVersionNumber: | 3.4.6.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| FileDescription: | SumatraPDF |
| FileVersion: | 3.4.6 |
| LegalCopyright: | Copyright 2006-2022 all authors (GPLv3) |
| ProductName: | SumatraPDF |
| ProductVersion: | 3.4.6 |
| CompanyName: | Krzysztof Kowalczyk |
Total processes
139
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 996 | "C:\Users\admin\Desktop\SumatraPDF-3.4.6-64-install.exe" | C:\Users\admin\Desktop\SumatraPDF-3.4.6-64-install.exe | explorer.exe | ||||||||||||
User: admin Company: Krzysztof Kowalczyk Integrity Level: MEDIUM Description: SumatraPDF Exit code: 0 Version: 3.4.6 Modules
| |||||||||||||||
| 1644 | "C:\WINDOWS\explorer.exe" "C:\Users\admin\AppData\Local\SumatraPDF\SumatraPDF.exe" | C:\Windows\explorer.exe | — | SumatraPDF-3.4.6-64-install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2240 | C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2888 | "C:\Users\admin\AppData\Local\SumatraPDF\SumatraPDF.exe" | C:\Users\admin\AppData\Local\SumatraPDF\SumatraPDF.exe | — | explorer.exe | |||||||||||
User: admin Company: Krzysztof Kowalczyk Integrity Level: MEDIUM Description: SumatraPDF Version: 3.4.6 Modules
| |||||||||||||||
| 4544 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6676 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 699
Read events
15 496
Write events
182
Delete events
21
Modification events
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 91 | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.pdf\OpenWithProgids |
| Operation: | delete value | Name: | SumatraPDF |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.pdf\OpenWithProgids |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.pdf |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.xps |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.epub\OpenWithProgids |
| Operation: | delete value | Name: | SumatraPDF |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.epub\OpenWithProgids |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.epub |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.tif\OpenWithProgids |
| Operation: | delete value | Name: | SumatraPDF |
Value: | |||
| (PID) Process: | (996) SumatraPDF-3.4.6-64-install.exe | Key: | HKEY_CLASSES_ROOT\.tiff\OpenWithProgids |
| Operation: | delete value | Name: | SumatraPDF |
Value: | |||
Executable files
4
Suspicious files
2
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\AppData\Local\SumatraPDF\SumatraPDF.exe | executable | |
MD5:5825A6110ACCCED8F5580207C94E2805 | SHA256:AA79391C7DB478FBB969875DA39CE09E3E8124B869ACC3178F5B6A3B4E10D5CE | |||
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\AppData\Local\SumatraPDF\PdfPreview.dll | executable | |
MD5:44C10BFB6CF61A413ECD0C0AA9A66CFA | SHA256:857F32B3797AAD4CC6E21A0CC4BB52446736D13E950D33A265613C12C4882034 | |||
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\AppData\Local\SumatraPDF\PdfFilter.dll | executable | |
MD5:F5A556BADC3F09C359F9D8D3E214ADE1 | SHA256:3EC7153D062EFF2D3650A255F34CB4D86B4077634EBFE5FB4F3574B75B40CCD7 | |||
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\SumatraPDF.lnk | binary | |
MD5:DC8DBF273C0F0042606EF92AB0B4C6D8 | SHA256:A9A9F77598DF3CB7D30ECDB16ED23B4BCD99256379971006E56778223ABC1409 | |||
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\Desktop\SumatraPDF.lnk | binary | |
MD5:1351C3AEF08E32266C776CCB8EE5940F | SHA256:6670E3729FB84B6FD8BFD432D56E5A6094BD774CBF5532B676B45DB9DF557E1C | |||
| 996 | SumatraPDF-3.4.6-64-install.exe | C:\Users\admin\AppData\Local\SumatraPDF\libmupdf.dll | executable | |
MD5:3F86EC8C34BF38425AB76255C33485BA | SHA256:D8210AC1CB117A92A60794378B73931A233BA71958EA06F1E6382894CE9EF261 | |||
| 2888 | SumatraPDF.exe | C:\Users\admin\AppData\Local\SumatraPDF\SumatraPDF-settings.txt | text | |
MD5:7967A2E149F6FCC0C6061617B817844C | SHA256:62F9B047748F02EFC3B1F1BC4AF89D3015C628B440FC867A0A6D186E7F3B908B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 204 | 104.126.37.185:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | — |
— | — | GET | 200 | 13.107.246.45:443 | https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d | unknown | image | 43 b | — |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | — |
— | — | POST | 200 | 20.42.65.88:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
752 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 131.253.33.254:443 | a-ring-fallback.msedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
— | — | 104.126.37.171:443 | www.bing.com | Akamai International B.V. | DE | unknown |
6764 | slui.exe | 52.161.91.37:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
6012 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4376 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1044 | slui.exe | 52.161.91.37:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3952 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
t-ring-fdv2.msedge.net |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
a-ring-fallback.msedge.net |
| unknown |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
fp-afd-nocache-ccp.azureedge.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |