File name:

hpreader.exe

Full analysis: https://app.any.run/tasks/27f6bf3e-b962-40ed-8315-e8b02b5f7cae
Verdict: Malicious activity
Analysis date: April 06, 2025, 02:13:30
OS: Windows 10 Professional (build: 19044, 64 bit)
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

EC5FABCE1AEA37883CE92D016C8A8E20

SHA1:

C0554C4D746A823E0DFEDC23B1D7F823AB7A3840

SHA256:

A70EA8F787E6560D48FE90182E9C0E5EBC587D96BEA3AB6491BA29EF4727A95F

SSDEEP:

98304:vIAJfK/sIzOm5cQhbhLVLLMTfJ2HynqrJHfcW223fbxUt1AG6liI8ipClKjKWGyd:z59e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • hpreader.exe (PID: 7656)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • hpreader.exe (PID: 7656)

    • Checks for external IP

      • hpreader.exe (PID: 7656)

    • There is functionality for taking screenshot (YARA)

      • hpreader.exe (PID: 7656)

  • INFO

    • The sample compiled with english language support

      • hpreader.exe (PID: 7656)

    • Checks proxy server information

      • hpreader.exe (PID: 7656)

    • Checks supported languages

      • hpreader.exe (PID: 7656)

    • Reads the computer name

      • hpreader.exe (PID: 7656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:22 08:36:52+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 2914816
InitializedDataSize: 3442176
UninitializedDataSize: -
EntryPoint: 0x8fa84
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.5.7.0
ProductVersionNumber: 1.5.7.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Haihaisoft Limited
FileDescription: Haihaisoft PDF Reader CYBV 454 Malware Analysis
FileVersion: 1.5.7.0
InternalName: hpreader.exe
LegalCopyright: Copyright (C) 2006-2025 Michael Galde
OriginalFileName: hpreader.exe
ProductName: Haihaisoft PDF Reader
ProductVersion: 1.5.7.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hpreader.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5072C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7656"C:\Users\admin\AppData\Local\Temp\hpreader.exe" C:\Users\admin\AppData\Local\Temp\hpreader.exe
explorer.exe
User:
admin
Company:
Haihaisoft Limited
Integrity Level:
MEDIUM
Description:
Haihaisoft PDF Reader CYBV 454 Malware Analysis
Version:
1.5.7.0
Modules
Images
c:\users\admin\appdata\local\temp\hpreader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
557
Read events
556
Write events
1
Delete events
0

Modification events

(PID) Process:(7656) hpreader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Haihaisoft PDF Reader
Operation:writeName:UpdateDate
Value:
133883792195640000
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7656
hpreader.exe
GET
200
163.171.132.220:80
http://www.drm-x.com/pdfversion.htm
unknown
malicious
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7332
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7332
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7656
hpreader.exe
163.171.132.220:80
www.drm-x.com
QUANTILNETWORKS
DE
malicious
3216
svchost.exe
172.172.255.217:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.drm-x.com
  • 163.171.132.220
  • 163.171.128.241
  • 163.171.156.15
  • 163.171.128.150
unknown
client.wns.windows.com
  • 172.172.255.217
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.3
  • 20.190.160.20
  • 20.190.160.128
  • 20.190.160.131
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
7656
hpreader.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hpreader.exe