Malware analysis PSTools.zip Malicious activity | ANY.RUN

Add for printing

File name:	PSTools.zip
Full analysis:	https://app.any.run/tasks/d85945e1-1d93-44e2-bb11-6af41718b612
Verdict:	Malicious activity
Analysis date:	May 30, 2025, 16:25:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc psexec
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	41EBDADC06B18164DC571F9DB251C01B
SHA1:	DDFB009F8B92226AA45C467F8D0EEBB29A8E2FF5
SHA256:	A9CA77DFE03CE15004157727BB43BA66F00CEB215362C9B3D199F000EDAA8D61
SSDEEP:	98304:w8SK6YhPu87Ci2jqrAAQiu9fffhwqZ4qxIL48xtg6TK/nUjqbprp7sg:wU/h3h0qrAL9fCqZO1Kycbprp7P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 1176)
SUSPICIOUS
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 1176)
- Executable content was dropped or overwritten
  - PsExec.exe (PID: 7468)
  - RunAsTI64.exe (PID: 2148)
  - rundll32.exe (PID: 6532)
- PSEXEC has been detected
  - PsExec.exe (PID: 7468)
- Executes as Windows Service
  - PSEXESVC.exe (PID: 7776)
- Starts CMD.EXE for commands execution
  - PSEXESVC.exe (PID: 7776)
  - RunAsTI64.exe (PID: 2148)
  - RunFromToken64.exe (PID: 7520)
- Uses RUNDLL32.EXE to load library
  - cmd.exe (PID: 7940)
  - cmd.exe (PID: 5988)
- Application launched itself
  - RunAsTI64.exe (PID: 8124)
- Windows service management via SC.EXE
  - sc.exe (PID: 5376)
- Starts SC.EXE for service management
  - cmd.exe (PID: 4844)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1176)
  - WinRAR.exe (PID: 632)
- Manual execution by a user
  - powershell.exe (PID: 2868)
  - WinRAR.exe (PID: 3016)
  - firefox.exe (PID: 6676)
  - firefox.exe (PID: 7368)
  - RunAsTI64.exe (PID: 8124)
  - WinRAR.exe (PID: 632)
- The sample compiled with english language support
  - WinRAR.exe (PID: 1176)
  - PsExec.exe (PID: 7468)
  - WinRAR.exe (PID: 632)
  - RunAsTI64.exe (PID: 2148)
  - firefox.exe (PID: 5384)
- Reads the software policy settings
  - slui.exe (PID: 7820)
  - slui.exe (PID: 7588)
- Launch of the file from Downloads directory
  - firefox.exe (PID: 5812)
  - firefox.exe (PID: 5384)
- Checks supported languages
  - PsExec.exe (PID: 7468)
  - PSEXESVC.exe (PID: 7776)
- Reads the computer name
  - PsExec.exe (PID: 7468)
  - PSEXESVC.exe (PID: 7776)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 2868)
- Application launched itself
  - firefox.exe (PID: 6676)
  - firefox.exe (PID: 5812)
  - firefox.exe (PID: 7368)
  - firefox.exe (PID: 5384)
- Checks proxy server information
  - slui.exe (PID: 7820)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2016:06:28 09:51:40
ZipCRC:	0xa95b4b2f
ZipCompressedSize:	74460
ZipUncompressedSize:	151728
ZipFileName:	PsLoggedon.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

183

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

RunFromToken64.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\RunAsTI-master.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1176

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\PSTools.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1616

"notepad.exe"

C:\Windows\System32\notepad.exe

—

rundll32.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1760

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 5052 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {071d8ca0-2ef4-4116-b32e-48868ff6cb8d} 5812 "\\.\pipe\gecko-crash-server-pipe.5812" 20dd36def50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2148

"C:\Users\admin\Downloads\RunAsTI-master\RunAsTI64.exe" !

C:\Users\admin\Downloads\RunAsTI-master\RunAsTI64.exe

RunAsTI64.exe

User:

admin

Integrity Level:

HIGH

Description:

Start program with same privileges as TrustedInstaller

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\admin\downloads\runasti-master\runasti64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll

2320

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4376 -childID 8 -isForBrowser -prefsHandle 5436 -prefMapHandle 4480 -prefsLen 31506 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f673f984-e21e-4a20-bffe-0195bc2a0e1b} 5812 "\\.\pipe\gecko-crash-server-pipe.5812" 20dcca3c310 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2868

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3016

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\RunAsTrustedInstaller-main.zip"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3124

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 6 -isForBrowser -prefsHandle 5700 -prefMapHandle 5696 -prefsLen 31382 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edbc37a2-d157-4ebe-8620-fee43c4cb7b7} 5384 "\\.\pipe\gecko-crash-server-pipe.5384" 226e30df310 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

41 363

Read events

41 247

Write events

Delete events

Modification events


(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\PSTools.zip
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(1176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

217

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psping64.exe		executable
		MD5:AD7E3DDF557E1DE0170E384031D3A221	SHA256:D1F718D219930E57794BDADF9DDA61406294B0759038CEF282F7544B44B92285
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psping.exe		executable
		MD5:93F162D9E1AE290F47695E71589FD4D4	SHA256:355B4A82313074999BD8FA1332B1ED00034E63BD2A0D0367E2622F35D75CF140
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psshutdown.exe		executable
		MD5:31E8E12D02A6CAC9088D89215CF4552C	SHA256:13FD3AD690C73CF0AD26C6716D4E9D1581B47C22FB7518B1D3BF9CFB8F9E9123
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psshutdown64.exe		executable
		MD5:B5B4ABC85D5D8C817CE552C3C6A0ABA5	SHA256:4226738489C2A67852D51DBF96574F33E44E509BC265B950D495DA79BB457400
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\PsGetsid64.exe		executable
		MD5:C2B0F2DE5955AAA313999FF20B675BE4	SHA256:201D8E77CCC2575D910D47042A986480B1DA28CF0033E7EE726AD9D45CCF4DAA
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psfile.exe		executable
		MD5:A0C7585C86AB8BFE6D55A2547E7C9382	SHA256:4243DC8B991F5F8B3C0F233CA2110A1E03A1D716C3F51E88FAF1D59B8242D329
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\PsGetsid.exe		executable
		MD5:3D4112B92A8285D8661BBC29125BDBF5	SHA256:A48AC157609888471BF8578FB8B2AEF6B0068F7E0742FCCF2E0E288B0B2CFDFB
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\psfile64.exe		executable
		MD5:880ED8C97E6BDB64A342FAD25094049B	SHA256:BE922312978A53C92A49FEFD2C9F9CC098767B36F0E4D2E829D24725DF65BC21
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\PsLoggedon64.exe		executable
		MD5:07ED30D2343BF8914DAAED872B681118	SHA256:FDADB6E15C52C41A31E3C22659DD490D5B616E017D1B1AA6070008CE09ED27EA
1176	WinRAR.exe	C:\Users\admin\Desktop\PSTools\pskill64.exe		executable
		MD5:BA9345119C1175C96D27370B0D203E70	SHA256:7BA47558C99E18C2C6449BE804B5E765C48D3A70CEAA04C1E0FAE67FF1D7178D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

181

DNS requests

207

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4200	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4200	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5812	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
5812	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
5812	firefox.exe	POST	200	142.250.185.163:80	http://o.pki.goog/s/wr3/FIY	unknown	—	—	whitelisted
5812	firefox.exe	POST	200	2.16.206.143:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
5812	firefox.exe	POST	200	2.16.206.143:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
7308	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2516	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.20:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	95.101.149.131 2.23.181.156	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
login.live.com	20.190.160.20 40.126.32.138 20.190.160.132 20.190.160.3 40.126.32.140 20.190.160.128 20.190.160.2 20.190.160.130	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

PSTools.zip

41EBDADC06B18164DC571F9DB251C01B

DDFB009F8B92226AA45C467F8D0EEBB29A8E2FF5

A9CA77DFE03CE15004157727BB43BA66F00CEB215362C9B3D199F000EDAA8D61

98304:w8SK6YhPu87Ci2jqrAAQiu9fffhwqZ4qxIL48xtg6TK/nUjqbprp7sg:wU/h3h0qrAL9fCqZO1Kycbprp7P

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

PSEXEC has been detected

Executes as Windows Service

Starts CMD.EXE for commands execution

Uses RUNDLL32.EXE to load library

Application launched itself

Windows service management via SC.EXE

Starts SC.EXE for service management

INFO

Executable content was dropped or overwritten

Manual execution by a user

The sample compiled with english language support

Reads the software policy settings

Launch of the file from Downloads directory

Checks supported languages

Reads the computer name

Checks current location (POWERSHELL)

Application launched itself

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings