File name:

80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe

Full analysis: https://app.any.run/tasks/714ca5df-5874-449f-8871-1be608cf109f
Verdict: Malicious activity
Analysis date: July 20, 2024, 10:45:55
OS: Windows 10 Professional (build: 19045, 64 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

73BCF4528162C221496131CF769F8609

SHA1:

181FE6005295BC58105E86BA571D5EC3D6B4D4C6

SHA256:

80377F3354DE3DA5B2BB94EB9EB4844C37BA25BBFDEACA6F4E398574528259A3

SSDEEP:

3072:MTrqjDCSr3c+uoIh6ltns1rbMLlGbbeD+4:MTrwrcb4GbaS4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Drops the executable file immediately after the start

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Reads Microsoft Outlook installation path

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Reads Internet Explorer settings

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Connects to unusual port

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Process requests binary or script from the Internet

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

  • INFO

    • Checks supported languages

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Checks proxy server information

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)
      • slui.exe (PID: 7024)

    • Reads the computer name

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Creates files or folders in the user directory

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Process checks Internet Explorer phishing filters

      • 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe (PID: 6148)

    • Reads the software policy settings

      • slui.exe (PID: 7024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:01:30 09:14:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 66560
InitializedDataSize: 50176
UninitializedDataSize: -
EntryPoint: 0x1072c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 22.12.30.1
ProductVersionNumber: 22.12.30.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: upexLite Microsoft 基础类应用程序
FileVersion: 22, 12, 30, 1
InternalName: upexLite
LegalCopyright: 版权所有 (C) 2012
LegalTrademarks: -
OriginalFileName: upexLite.EXE
PrivateBuild: -
ProductName: upexLite 应用程序
ProductVersion: 22, 12, 30, 1
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
6148"C:\Users\admin\Desktop\80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe" C:\Users\admin\Desktop\80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
upexLite Microsoft 基础类应用程序
Version:
22, 12, 30, 1
Modules
Images
c:\users\admin\desktop\80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7024C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 076
Read events
5 063
Write events
13
Delete events
0

Modification events

(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(6148) 80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
Executable files
1
Suspicious files
206
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000063.udpbinary
MD5:9AA0F236A2FBDBB067107CC5D72CDADC
SHA256:D8D37B2F8C04C031D17AE3DDF42EB64A5003A9E93180F762BA024602226AA2E9
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\ujs[1].htmtext
MD5:B5ECB0256EC38EF13E9FA05F2CEFF7DE
SHA256:8A13EC9B7EF6D8F4605E4EB138397D937D561AD987A5CD97CBF747F7921E6C36
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000069.udpbinary
MD5:70C3F2DCCDDDAEB3DADDE80D1ABC539E
SHA256:B8085AFF909AEF74FB79C4A9CAA4B10C5B5BCFAE8B0FD1339D66BA960A132C1A
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\nohijack[1].jsbinary
MD5:F54000C998D5CC41D2FDAFF900FF2C3A
SHA256:18F27A7EF7744ED9EF66AC79A401D5D3BD347B02A13685B8344CB2B68D5B0A24
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000064.udpbib
MD5:F717342030EDDB78119220DCB1FFF0E1
SHA256:89F5E4B0D33488246616722B69875ACD350C8571207EF6402F2DDABB7F61135F
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000147.udpbinary
MD5:9A3BB1BA7A2E08D95EE2D6748A6D1878
SHA256:A1D6FD1CD28B027CB3C125AFDE41A34D276400632337111C072561DEE16B1A14
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000145.udpbinary
MD5:74D24169DDF11E868E3395E6CB0542F0
SHA256:20640ECB7B2FDD700DD84BC7027633CEB2E05B34A69C1B1ED5BE16C18C12434A
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000059.udpbinary
MD5:6757FDCFD061B6929F6803EE7BD3E64B
SHA256:43E6D21BB81C04DDC6999C6906FA49EEE8FF35E21A3735E3600F1C8D0D0F83E7
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000070.udpbinary
MD5:047A8533066C9CEB8F0FC358C3F9696B
SHA256:6E6CA7E3A101A88B0A20C4C27668E9E46DD52ECEE491297FA69B292C9850BD99
614880377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exeC:\Compass\WavMain\__upv3_temp\00000153.udpbinary
MD5:835B779C129C8BE408AD14744699DE50
SHA256:00835B2DEC003F6B345E717D4877CF871F5BE6158286D9D6EE7CB5F58D1B0C05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
52
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
GET
200
49.233.125.252:80
http://cweb.compass.cn/dispatcher/?action=install&gid=13&pid=5740&exename=80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe&step=0&channelid=1&ts=4370000
unknown
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
GET
180.76.118.5:80
http://trace.compass.cn/ujs.php?v=36
unknown
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
GET
180.76.118.5:80
http://trace.compass.cn/nohijack.js?v=36
unknown
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
GET
200
49.233.125.252:80
http://cweb.compass.cn/dispatcher/?action=install&gid=13&pid=5740&exename=80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe&step=1&channelid=1&ts=4371593
unknown
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
401
4.208.221.206:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
binary
340 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4716
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5620
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7856
svchost.exe
4.209.33.156:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
49.233.125.252:80
cweb.compass.cn
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
7484
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
180.76.118.5:80
trace.compass.cn
Beijing Baidu Netcom Science and Technology Co., Ltd.
CN
unknown
6148
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe
61.135.173.233:5215
u3.compass.cn
China Unicom Beijing Province Network
CN
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.74
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
cweb.compass.cn
  • 49.233.125.252
  • 180.76.150.202
  • 180.76.136.109
unknown
arc.msn.com
  • 20.223.35.26
whitelisted
misc-cdn.compass.cn
  • 183.240.240.35
  • 183.240.238.35
  • 120.233.47.193
unknown
image2-cdn.compass.cn
  • 118.212.230.35
  • 113.142.207.35
  • 121.14.135.35
  • 182.140.225.35
  • 183.61.177.35
  • 222.216.122.35
  • 118.212.224.35
  • 106.225.194.35
  • 61.170.103.35
  • 61.170.99.35
unknown
trace.compass.cn
  • 180.76.118.5
unknown
u3.compass.cn
  • 61.135.173.233
unknown
www.bing.com
  • 184.86.251.16
  • 184.86.251.19
  • 184.86.251.5
  • 184.86.251.13
  • 184.86.251.10
  • 184.86.251.18
  • 184.86.251.9
  • 184.86.251.11
  • 184.86.251.14
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
80377f3354de3da5b2bb94eb9eb4844c37ba25bbfdeaca6f4e398574528259a3.exe