File name:

EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe

Full analysis: https://app.any.run/tasks/3fd969d9-db52-4186-89a4-031332cbc858
Verdict: Malicious activity
Analysis date: May 09, 2025, 18:27:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

305BAC3298BEA2AF43F9D68CA4568BBA

SHA1:

B50391FB325AB153B284B786102689C0232DA3EC

SHA256:

3DF5CC4135BC3650D9B768B9720516BE082FD429BDA04B2C6B59A0F78715BCF2

SSDEEP:

98304:JIAJfK/sIzOm5cQhbhLVLLMTfJ2HynqrJHfcW223fbxUt1AG6liI8ipClKjKWGyz:R59Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 5756)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5544)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)

    • There is functionality for taking screenshot (YARA)

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)
      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 5756)

    • Starts CMD.EXE for commands execution

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 5756)

    • Checks for external IP

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4728)

    • Connects to unusual port

      • csc.exe (PID: 968)

  • INFO

    • The sample compiled with english language support

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)

    • Reads the computer name

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)
      • csc.exe (PID: 968)

    • Checks proxy server information

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)
      • slui.exe (PID: 6032)

    • Checks supported languages

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)
      • csc.exe (PID: 968)
      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 5756)

    • Reads the software policy settings

      • slui.exe (PID: 6032)
      • slui.exe (PID: 6972)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 968)

    • .NET Reactor protector has been detected

      • csc.exe (PID: 968)

    • Create files in a temporary directory

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 4244)

    • Manual execution by a user

      • EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe (PID: 5756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:22 08:36:52+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 2914816
InitializedDataSize: 3442176
UninitializedDataSize: -
EntryPoint: 0x8fa84
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.5.7.0
ProductVersionNumber: 1.5.7.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Haihaisoft Limited
FileDescription: Haihaisoft PDF Reader
FileVersion: 1.5.7.0
InternalName: hpreader.exe
LegalCopyright: Copyright (C) 2006-2017 Haihaisoft Limited
OriginalFileName: hpreader.exe
ProductName: Haihaisoft PDF Reader
ProductVersion: 1.5.7.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
11
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start expediente fiscal detallado crf-2738273829.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs slui.exe expediente fiscal detallado crf-2738273829.exe no specs csc.exe svchost.exe cmd.exe no specs conhost.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4244"C:\Users\admin\AppData\Local\Temp\EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe" C:\Users\admin\AppData\Local\Temp\EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
explorer.exe
User:
admin
Company:
Haihaisoft Limited
Integrity Level:
MEDIUM
Description:
Haihaisoft PDF Reader
Exit code:
0
Version:
1.5.7.0
Modules
Images
c:\users\admin\appdata\local\temp\expediente fiscal detallado crf-2738273829.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4728cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MSVC Sensor" /t REG_SZ /d "rundll32.exe C:\Users\admin\Documents\TeniumUpdater12390.dll",EntryPoint /f & exitC:\Windows\SysWOW64\cmd.exeEXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4784C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5544reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MSVC Sensor" /t REG_SZ /d "rundll32.exe C:\Users\admin\Documents\TeniumUpdater12390.dll",EntryPoint /f C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5756"C:\Users\admin\Desktop\EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe" C:\Users\admin\Desktop\EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exeexplorer.exe
User:
admin
Company:
Haihaisoft Limited
Integrity Level:
MEDIUM
Description:
Haihaisoft PDF Reader
Exit code:
2510698164
Version:
1.5.7.0
Modules
Images
c:\users\admin\desktop\expediente fiscal detallado crf-2738273829.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6032C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6652C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6940\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 999
Read events
1 997
Write events
2
Delete events
0

Modification events

(PID) Process:(4244) EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exeKey:HKEY_CURRENT_USER\SOFTWARE\Haihaisoft PDF Reader
Operation:writeName:UpdateDate
Value:
133912888495090000
(PID) Process:(5544) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSVC Sensor
Value:
rundll32.exe C:\Users\admin\Documents\TeniumUpdater12390.dll,EntryPoint
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5756EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exeC:\Users\admin\Documents\TeniumUpdater12390.dll
MD5:
SHA256:
4244EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exeC:\Users\admin\AppData\Local\Temp\hpreaderfprefs.dattext
MD5:54540B85AA2E432851718116915C5B06
SHA256:24C2D1A16174C14276615E4B7C1DF35A5A8B7A94D6F2861810AF1F54D4D00DFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4244
EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
GET
200
163.171.242.20:80
http://www.drm-x.com/pdfversion.htm
unknown
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4244
EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
163.171.242.20:80
www.drm-x.com
QUANTILNETWORKS
US
unknown
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
www.drm-x.com
  • 163.171.242.20
  • 163.171.242.18
  • 163.171.128.150
  • 163.171.156.15
  • 163.171.242.19
  • 163.171.128.241
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.129
  • 20.190.159.131
  • 40.126.31.3
  • 20.190.159.71
  • 40.126.31.131
  • 40.126.31.1
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
4244
EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mysynology .net Domain
968
csc.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EXPEDIENTE FISCAL DETALLADO CRF-2738273829.exe