File name:	CompassBrowser.exe
Full analysis:	https://app.any.run/tasks/56c9991a-bc80-4668-b65c-2fca778650c6
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 15:36:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader themida websocket
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	8E35857682038620140A6803156A2C44
SHA1:	05E2FB75104F821A4ECD3A9D7574514DDEB6D38A
SHA256:	D4CEC6D012F99C9DE1B93277E1DF954C1F19FEE2CF67953CA04A83FC16B09FB0
SSDEEP:	12288:eVU242prXQU2VB2mIKscfRNyY5yKbnf0/:eVfrX8nQayY5yM0/

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:11:03 11:35:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	116736
InitializedDataSize:	378880
UninitializedDataSize:	-
EntryPoint:	0x4ff7
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.5.0.2
ProductVersionNumber:	2.5.0.2
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	ITS GCO Bootstrap
CompanyName:	Internet Testing Systems
FileDescription:	ITS GCO Bootstrap
FileVersion:	2.5.0.2
InternalName:	VerifyAndLaunch
LegalCopyright:	(C) Internet Testing Systems
OriginalFileName:	VerifyAndLaunch.exe
ProductName:	ITS GCO Bootstrap
ProductVersion:	2.5.0.2


(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A78039010000FB9A790967ADD111ABCD00C04FC309369C000000
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D19010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A78039010000FB9A790967ADD111ABCD00C04FC309369C000000
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	SecureProtocols
Value: 2560
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5864) CompassBrowser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	SecureProtocols
Value: 2688
(PID) Process:	(3268) Compass Browser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	SecureProtocols
Value: 2560
(PID) Process:	(3268) Compass Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ Compass Browser_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3268) Compass Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ Compass Browser_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
5864	CompassBrowser.exe	C:\Users\admin\AppData\Local\Temp\ITS\WINCSECB\293\Production\ITS SB App SwitchNew.exe		executable
		MD5:8E277C55B2B8F512823E5C384D0E2177	SHA256:BB9A8CD5A67AF174554EFFD9CBEBB23DCA4D1ACCCF4B06F183430E0A7A11F46E
5864	CompassBrowser.exe	C:\Users\admin\AppData\Local\Temp\ITS\WINCSECB\293\Production\ITS SB App Switch.exe		executable
		MD5:8E277C55B2B8F512823E5C384D0E2177	SHA256:BB9A8CD5A67AF174554EFFD9CBEBB23DCA4D1ACCCF4B06F183430E0A7A11F46E
5864	CompassBrowser.exe	C:\Users\admin\AppData\Local\Temp\ITS\WINCSECB\293\Production\ Compass Browser.exe		executable
		MD5:2E6F3C93613099D2390F14811D965301	SHA256:6EC21F40BE0C27D486BD9DE7E158A397DE20513B7E9B2FE9B657D59B9B6486D2
3268	Compass Browser.exe	C:\Users\admin\AppData\Local\Temp\OSB\SignInfoConsole.exe		executable
		MD5:9C11A9BD1765AA8B89E9DE29D252A524	SHA256:E7832BCF1BDDD4A296C52AF635AD831DF01ED596ADAADDEFD4A9B1B1343F2387
920	ITS SB App Switch.exe	C:\Users\admin\AppData\Local\Temp\ITS\WINCSECB\293\Production\spinner.gif		image
		MD5:6C6CEC419AC6D816CBCEE433677BE050	SHA256:2BBEA1465D21E03A558067E70E5985F4FFCDD27D7C315AD0DBA80FF69A037F06
1348	SignInfoConsole.exe	C:\Users\admin\AppData\Local\Temp\Tmp55DD.tmp		binary
		MD5:D26EC6AAAD07CD32172B1BB704F88006	SHA256:1A7F806DB82DF87742E86311FC01FD7E91B30CEC86473B322655BF5318797CA5
3884	msedgewebview2.exe	C:\Users\admin\AppData\Local\Temp\.WebView2\EBWebView\Local State		binary
		MD5:6AEF8EEF038D8D707DCACC3BEF9A8FF8	SHA256:71C15635954561C74784E5C84456B6A52468101FF0300277E92987A335780E5C
3268	Compass Browser.exe	C:\Users\admin\AppData\Local\Temp\3b850057.dll		executable
		MD5:54567E082E0E1987F13A6FE7E3431761	SHA256:17DB2CE42B83BB8FE64B29F187D97C88598753C177A8868684F62F9EACF5E244
3884	msedgewebview2.exe	C:\Users\admin\AppData\Local\Temp\.WebView2\EBWebView\Crashpad\throttle_store.dat		text
		MD5:9E4E94633B73F4A7680240A0FFD6CD2C	SHA256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
5864	CompassBrowser.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Compass_Browser[1].exe		executable
		MD5:2E6F3C93613099D2390F14811D965301	SHA256:6EC21F40BE0C27D486BD9DE7E158A397DE20513B7E9B2FE9B657D59B9B6486D2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6404	RUXIMICS.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/EFH/Header.css	unknown	—	—	—
6404	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	161.47.163.213:443	https://www.starttest.com/sbrowser/ws/getconfiguration.aspx?AgentIdentifier=WINCSECB&programID=293&Environment=PRODUCTION&StartUrl=aHR0cHM6Ly9vbmRlbWFuZC1jYW5kaWRhdGUuY2VydGlwb3J0LmNvbTo0NDMvP2FjY2Vzc2NvZGU9NDVCLTJGLTY5MQ==&Shortcut=0&Cmd=download&sc=0bb8f38ee00fb9f5d4a207f17c3563f3c75e0856	unknown	executable	11.6 Mb	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/EFH/Footer.css	unknown	text	420 b	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/EFH/Download.css	unknown	text	2.80 Kb	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/cpui_compass.css	unknown	text	23.2 Kb	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/EFH/WaitSpinner.css	unknown	text	1.28 Kb	whitelisted
—	—	GET	200	13.107.253.45:443	https://ondemand-candidate.certiport.com/css/EFH/SymEntry.css	unknown	text	1.43 Kb	whitelisted
—	—	GET	200	161.47.163.213:443	https://www.starttest.com/Sbrowser/WS/getconfiguration.aspx?AgentIdentifier=WINCSECB&ProgramID=293&Environment=PRODUCTION&Language=ENU&Enc=1&cmd=messages&sc=9a7f8a8cbc2c6382be7094a52a87fc482cf614d1	unknown	text	19.8 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6404	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6404	RUXIMICS.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6404	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5864	CompassBrowser.exe	161.47.163.213:443	www.starttest.com	RACKSPACE	US	whitelisted
3268	Compass Browser.exe	161.47.163.213:443	www.starttest.com	RACKSPACE	US	whitelisted
672	msedgewebview2.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.18 23.216.77.10 23.216.77.14 23.216.77.23 23.216.77.21	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
www.starttest.com	161.47.163.213	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
ondemand-candidate.certiport.com	13.107.253.45	whitelisted
js.monitor.azure.com	13.107.246.45	whitelisted
pduc-cpod-chat-signalr.service.signalr.net	172.212.135.7	whitelisted

PID	Process	Class	Message
5864	CompassBrowser.exe	Misc activity	INFO [ANY.RUN] Pearson VUE Client SSL Cert
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
3268	Compass Browser.exe	Misc activity	INFO [ANY.RUN] Pearson VUE Client SSL Cert
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
672	msedgewebview2.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
672	msedgewebview2.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)

General Info

CompassBrowser.exe

8E35857682038620140A6803156A2C44

05E2FB75104F821A4ECD3A9D7574514DDEB6D38A

D4CEC6D012F99C9DE1B93277E1DF954C1F19FEE2CF67953CA04A83FC16B09FB0

12288:eVU242prXQU2VB2mIKscfRNyY5yKbnf0/:eVfrX8nQayY5yM0/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

Reads the BIOS version

Application launched itself

Process requests binary or script from the Internet

Searches for installed software

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Disables trace logs

Themida protector has been detected

Reads Environment values

Reads product name

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings