File name:

SanXiaWorkSafe_20250707101058.zip

Full analysis: https://app.any.run/tasks/90450057-c29b-40f8-996c-55277c95557a
Verdict: Malicious activity
Analysis date: July 07, 2025, 02:24:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

48D8840FD179E5551905227808D93825

SHA1:

0943E76FC91589783E06B7B3314B2C0EBC7761B9

SHA256:

14CA945588CD45058E1BE810265051663AFAFF66F407856AFB6546A58B0D276A

SSDEEP:

98304:vw//p0YFHHuUBvxUdORyMH5ct6n8yd78RJgmM5ZfcMCoLmTQ4uxkJdwVwL7PTrjl:CSFz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • KeepMove.exe (PID: 1352)

  • SUSPICIOUS

    • Connects to unusual port

      • SheelEverything.exe (PID: 2612)
      • SheelEverything.exe (PID: 6868)

    • Searches for installed software

      • SheelEverything.exe (PID: 2612)
      • SheelEverything.exe (PID: 6868)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1828)

    • Application launched itself

      • updater.exe (PID: 1828)

    • Executable content was dropped or overwritten

      • KeepMove.exe (PID: 1352)

    • Reads security settings of Internet Explorer

      • wordpad.exe (PID: 7020)

    • Sets XML DOM element text (SCRIPT)

      • wordpad.exe (PID: 7020)

  • INFO

    • Manual execution by a user

      • launcher.exe (PID: 1612)
      • notepad.exe (PID: 4920)
      • launcher.exe (PID: 2280)
      • SheelEverything.exe (PID: 7016)
      • SheelEverything.exe (PID: 2612)
      • KeepMove.exe (PID: 7080)
      • KeepMove.exe (PID: 1352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6524)

    • Checks supported languages

      • launcher.exe (PID: 2280)
      • SheelEverything.exe (PID: 2612)
      • launcher.exe (PID: 6404)
      • updater.exe (PID: 2288)
      • updater.exe (PID: 1828)
      • KeepMove.exe (PID: 1352)
      • launcher.exe (PID: 5352)
      • SheelEverything.exe (PID: 6868)
      • wordpad.exe (PID: 7020)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4920)
      • OpenWith.exe (PID: 3964)

    • Reads the computer name

      • SheelEverything.exe (PID: 2612)
      • updater.exe (PID: 1828)
      • KeepMove.exe (PID: 1352)
      • SheelEverything.exe (PID: 6868)
      • wordpad.exe (PID: 7020)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1828)

    • Creates files or folders in the user directory

      • KeepMove.exe (PID: 1352)

    • Launching a file from the Startup directory

      • KeepMove.exe (PID: 1352)

    • Checks proxy server information

      • slui.exe (PID: 2520)

    • Reads the software policy settings

      • slui.exe (PID: 2520)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 3964)

    • Reads Environment values

      • wordpad.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:06:24 16:09:58
ZipCRC: 0x1a18a90f
ZipCompressedSize: 38416
ZipUncompressedSize: 114688
ZipFileName: SanXiaWorkSafe/KeepMove.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
17
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs launcher.exe no specs launcher.exe notepad.exe no specs sheeleverything.exe no specs sheeleverything.exe launcher.exe no specs slui.exe updater.exe no specs updater.exe no specs keepmove.exe no specs keepmove.exe sheeleverything.exe launcher.exe no specs openwith.exe no specs wordpad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1352"C:\Users\admin\Desktop\SanXiaWorkSafe\KeepMove.exe" C:\Users\admin\Desktop\SanXiaWorkSafe\KeepMove.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sanxiaworksafe\keepmove.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1612"C:\Users\admin\Desktop\SanXiaWorkSafe\launcher.exe" C:\Users\admin\Desktop\SanXiaWorkSafe\launcher.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\sanxiaworksafe\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1828"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2280"C:\Users\admin\Desktop\SanXiaWorkSafe\launcher.exe" C:\Users\admin\Desktop\SanXiaWorkSafe\launcher.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\sanxiaworksafe\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2288"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x288,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2520C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2612"C:\Users\admin\Desktop\SanXiaWorkSafe\SheelEverything.exe" C:\Users\admin\Desktop\SanXiaWorkSafe\SheelEverything.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sanxiaworksafe\sheeleverything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3000C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3964C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4920"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\SanXiaWorkSafe\Launcher.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
9 108
Read events
9 056
Write events
38
Delete events
14

Modification events

(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SanXiaWorkSafe_20250707101058.zip
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6524) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
7
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\launcher.exeexecutable
MD5:EEBACAAE58D530556295AFC4AC37E4A7
SHA256:CB84162F7ED87296E260D8C950311F50B563E573378BD7939C46B8EBE9FF0C6F
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\KeepMoveYL.dllexecutable
MD5:E6108E73E9559AB72B39F34155EF1B95
SHA256:82F39BCAA670F49B4DCCFBC9362F75BBC359400A141DA09B532A63F9038AF9CF
2288updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:52DEB4EBAF37A05154E4ECC6B3AD9406
SHA256:E0A89E88D638D560357C217F9B7496BC2A859F4321540C163E607164CE645295
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\SheelEverything.exeexecutable
MD5:657EE8DBC7AD4B13B3CE82351C3E127C
SHA256:5A2C20D20D88C952B684B737FD06F8659E328555EAC585E967B4D6C04572C5F6
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\uninst.exeexecutable
MD5:1754E6E0CFA9E6AC6893F38ED4667DC9
SHA256:3B35824A0EE6D160416B4B9A77EE8903341B186904E850DD3FAC20756408D56B
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\KeepMove.exeexecutable
MD5:016885913C2DC2658141DDAB1FF300F6
SHA256:13A1A73BC61551D963A0B636CA781F6767CFD395303CBE5BA1F94ACFF25E687E
6524WinRAR.exeC:\Users\admin\Desktop\SanXiaWorkSafe\Launcher.initext
MD5:58BDB9E40C0B0F499741861BD5168FE1
SHA256:5F437BAFA272AE9C30F4207D1B3B2EB2B79155B4A76CA586A0B141BCD0DDA19C
1352KeepMove.exeC:\Users\admin\Desktop\SanXiaWorkSafe\SheelEverything.exeexecutable
MD5:657EE8DBC7AD4B13B3CE82351C3E127C
SHA256:5A2C20D20D88C952B684B737FD06F8659E328555EAC585E967B4D6C04572C5F6
1352KeepMove.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supersx.lnkbinary
MD5:479EFA98DEA8F54E0E0507FF27947FC7
SHA256:10AAA2EF19F5DD4725FAF23BE5CA6D7C14BBE909AEBF30F61873A8D607FDBB36
1352KeepMove.exeC:\Users\admin\Desktop\SanXiaWorkSafe\SheelEverything.exe.bakexecutable
MD5:657EE8DBC7AD4B13B3CE82351C3E127C
SHA256:5A2C20D20D88C952B684B737FD06F8659E328555EAC585E967B4D6C04572C5F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
40
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5184
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
408 b
whitelisted
2612
SheelEverything.exe
POST
200
121.36.23.37:8803
http://client.baiwang.com:8803/v2/statistic/doClick/web
CN
whitelisted
2464
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
5184
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
420 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
734 b
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
314 b
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
6868
SheelEverything.exe
POST
200
121.36.23.37:8803
http://client.baiwang.com:8803/v2/statistic/doClick/web
CN
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6672
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2464
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2464
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.71
  • 20.190.159.129
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SanXiaWorkSafe_20250707101058.zip