File name:

WC5325-5335_5.230.5.0_PCL6_x64.exe

Full analysis: https://app.any.run/tasks/b1419dba-4525-4619-b7ac-95ebb77fd075
Verdict: Malicious activity
Analysis date: October 22, 2023, 07:06:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

E713D6CACE0C0D97DDD862F6D5583C2A

SHA1:

69AF58D117EBCA743F462D7813252E3E268021A7

SHA256:

C82E7E87166054CE52C5CA76B1DE59A98240D9B0BA888B965D61E27539B421DB

SSDEEP:

393216:nbbsAIhsC6VW/Y5/mqJA1t6uf52aqpV8wEj5lkDSvrvcv:nbw+9VW/8I1Pf5g04SvIv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • XSetupCpu.exe (PID: 3204)
      • XSetupCpu.exe (PID: 3856)

    • Drops the executable file immediately after the start

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

  • SUSPICIOUS

    • Reads the Internet Settings

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

    • Process drops legitimate windows executable

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

    • Reads Microsoft Outlook installation path

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

    • Reads Internet Explorer settings

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

  • INFO

    • Reads the computer name

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

    • Checks supported languages

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)
      • XSetupCpu.exe (PID: 3856)

    • Checks proxy server information

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)

    • Reads the machine GUID from the registry

      • WC5325-5335_5.230.5.0_PCL6_x64.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 5
EntryPoint: 0xa7d8
UninitializedDataSize: -
InitializedDataSize: 142848
CodeSize: 67584
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2009:08:16 11:05:35+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start wc5325-5335_5.230.5.0_pcl6_x64.exe no specs xsetupcpu.exe no specs xsetupcpu.exe

Process information

PID
CMD
Path
Indicators
Parent process
1824"C:\Users\admin\AppData\Local\Temp\WC5325-5335_5.230.5.0_PCL6_x64.exe" C:\Users\admin\AppData\Local\Temp\WC5325-5335_5.230.5.0_PCL6_x64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wc5325-5335_5.230.5.0_pcl6_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
3204"C:\Xerox\XSetupCpu.exe" "/CMD32:Setup32.exe; /CMD64:Setup64.exe; /CMD:cmd.exe; /PARAM1:/C; /PARAM2:launch.bat"C:\Xerox\XSetupCpu.exeWC5325-5335_5.230.5.0_PCL6_x64.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\xerox\xsetupcpu.exe
c:\windows\system32\ntdll.dll
3856"C:\Xerox\XSetupCpu.exe" "/CMD32:Setup32.exe; /CMD64:Setup64.exe; /CMD:cmd.exe; /PARAM1:/C; /PARAM2:launch.bat"C:\Xerox\XSetupCpu.exe
WC5325-5335_5.230.5.0_PCL6_x64.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\xerox\xsetupcpu.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
Total events
762
Read events
748
Write events
14
Delete events
0

Modification events

(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000057010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1824) WC5325-5335_5.230.5.0_PCL6_x64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
36
Suspicious files
11
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\ntprint.inf_amd64\amd64\pscript.hlpbinary
MD5:02C3F8C32018F3AAF66E7421400F1781
SHA256:6FAEF4C998E810FFF139958F28722C79879EC2FD66C97C7E3E2C5040FD5550D9
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\launch.battext
MD5:80F167E6942F1EA51B156040786F44D8
SHA256:4B1890BA7148ABDD5FF82494A491ACFDD253787469573FBDE108AA272DF56A7D
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\ntprint.inf_amd64\amd64\unidrv.hlpbinary
MD5:6798F64959C913673BD66CD4E47F4A65
SHA256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\APWinstall.battext
MD5:B00966272B2E2FDE2EA2148591023522
SHA256:7207F620D25BD14EDC7795663BAFD26AF5765FF217E9C18DA3735AE76DC30738
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\WC5325-5335_PCL6_x64_Driver.inf\x2GSANX.infbinary
MD5:71D890E6F63CE813673AB45B6A5C0175
SHA256:66D949566B18BB82F4926D62A67F4D51FE4DF1C9271125DCB6438634E78C5451
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\WC5325-5335_PCL6_x64_Driver.inf\unidrv.hlpbinary
MD5:6798F64959C913673BD66CD4E47F4A65
SHA256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\ntprint.inf_amd64\ntprint.infbinary
MD5:F48E91E4BF1F75722F4A5431FD4A3F44
SHA256:969A3DDD2C0CCBE1ED6873BE6A86D2DE2CEEDCD0DEDDB1059BB2155435416E96
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\Setup64.exeexecutable
MD5:FD730AA34EC1D82790F0EC33D62317E9
SHA256:B017890A6FEE8DE1F3BE73BEE510270CE1E4A2B356A13FDE15B924A93EC93AE0
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\WC5325-5335_PCL6_x64_Driver.inf\xGSANxHM.initext
MD5:9FCF3F0D4E620FBAA6276B794EFEAE92
SHA256:EE525FB622440EFD1CEAE3E6BBC50AEE0A84DEE777E48458D235A437C77F45C8
1824WC5325-5335_5.230.5.0_PCL6_x64.exeC:\Xerox\WC5325-5335_PCL6_x64_Driver.inf\x2jobtHM.exeexecutable
MD5:B9C2DEAE73AAEADB06644D60C7C4221A
SHA256:2D8C1653E1B4B3B1B8FA90C57EDF5C84FB3A4FC1E30D2D199A2E92358888AF80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WC5325-5335_5.230.5.0_PCL6_x64.exe