File name:

XW16Pro PC side.zip

Full analysis: https://app.any.run/tasks/2477fd5d-032d-4403-bb18-10da3cce612a
Verdict: Suspicious activity
Analysis date: December 10, 2020, 06:34:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A0B8DB385BCD0648315D8049896191C5

SHA1:

D57AA90C86DA6E263B8FE473F0B03CC11E91C8A5

SHA256:

101BEFC4BB7D4C91EEA65350061320F0E3EEB98F4055595A4BDB66FF380F1899

SSDEEP:

49152:4kYR3mbi5MWrt7WFYQ8iUY3Mo6ee0zSLci+0hI0lfTB73Jmc6fBxsP+nAxHuosGM:IRoi5MWrt7W7D870zuciDhBaH5i3rw1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • XW16Pro脱机烧录器comp.exe (PID: 3096)
      • XW16Pro PC side.exe (PID: 2004)

    • Drops executable file immediately after starts

      • XW16Pro PC side.exe (PID: 2004)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2584)
      • XW16Pro PC side.exe (PID: 2004)

    • Reads Environment values

      • XW16Pro脱机烧录器comp.exe (PID: 3096)

    • Executable content was dropped or overwritten

      • XW16Pro PC side.exe (PID: 2004)
      • WinRAR.exe (PID: 2584)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:05:25 13:57:23
ZipCRC: 0x5a987479
ZipCompressedSize: 3120088
ZipUncompressedSize: 3302397
ZipFileName: XW16Pro PC side.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe xw16pro pc side.exe xw16pro脱机烧录器comp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2004"C:\Users\admin\AppData\Local\Temp\Rar$EXa2584.40885\XW16Pro PC side.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2584.40885\XW16Pro PC side.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2584.40885\xw16pro pc side.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
2584"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XW16Pro PC side.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3096"C:\Users\admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器comp.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器comp.exe
XW16Pro PC side.exe
User:
admin
Company:
www.xwopen.com
Integrity Level:
MEDIUM
Description:
XW16Pro脱机烧录器
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\xw16pro脱机烧录器comp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
851
Read events
822
Write events
29
Delete events
0

Modification events

(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2584) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\XW16Pro PC side.zip
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2004XW16Pro PC side.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器comp.exeexecutable
MD5:B4AEA1A97BAFAA45F68372AA17DDB852
SHA256:75830D42E765DD2014E8EF8CC1909F6D03E187BA02E87DCF9C48159355CE0932
2004XW16Pro PC side.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\lang\DefaultLanguage.xamltext
MD5:E51FD21D0475C9091CACBD8D1A8B1B3B
SHA256:3D75499EF0CEFE431F076D6A0EB32582578E6FC3899B39E9E6F6EC21C8EAED82
2584WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2584.40885\XW16Pro PC side.exeexecutable
MD5:9E95C530AFF489344231DA4B5C64AEBB
SHA256:D2E30A74E440744C0CA977FF60362BF61328B7A122D96CC07BC41816566C4952
2004XW16Pro PC side.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\lang\LanguageEN.xamltext
MD5:26FAF0AD3DCCF0E1A89C0E92A36BE16C
SHA256:F0CD41AD0B65F4387DF4C3CF188740E6427C8AD0081704CF44A5CA126CF379E0
2004XW16Pro PC side.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器comp.exe.configxml
MD5:CDF434A1DA53769AAEE5F5A1DA39679B
SHA256:06AE8A6618E30B01391BEDF02C6D5AD99382007A632B0F722AB3CC63DDDDAAE4
2004XW16Pro PC side.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Util.Controls.dllexecutable
MD5:41D8F6A95B4FEA00F620E5D18C89BBDA
SHA256:0AB82B652446E4BE79CCA19B7070073F8FE1015FE9448505B13A433A8CDFDD3D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3096
XW16Pro脱机烧录器comp.exe
121.41.17.142:80
www.xwopen.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3096
XW16Pro脱机烧录器comp.exe
121.41.17.142:6900
www.xwopen.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown

DNS requests

Domain
IP
Reputation
www.xwopen.com
  • 121.41.17.142
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XW16Pro PC side.zip