download:

PE.Tools.v1.9.762.2018.7z

Full analysis: https://app.any.run/tasks/7ec77525-8088-4fba-a7b6-a09e8d17f06b
Verdict: Malicious activity
Analysis date: February 24, 2021, 18:31:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

153B77CF7850E3CFDF2BAFBF2C59646B

SHA1:

57CD37AA66AB6B72E1FF68E47111142EC50AFB41

SHA256:

B831343A1441039C68A60777CEF9ECB1F41381BFF369C2F993CD3DB6BF8C9FB8

SSDEEP:

12288:sJlC8bvliexxSe2jYEy7ZQo8mgiMK2bATiNCH/4yG1+0ccOh5:sS8EPjfytQ2giMK2bOuCH/4ydFv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3932)
      • PETools.exe (PID: 2016)
      • PETools.exe (PID: 3712)
      • PETools.exe (PID: 1680)

    • Application was dropped or rewritten from another process

      • PETools.exe (PID: 2016)
      • PETools.exe (PID: 3712)
      • PETools.exe (PID: 1680)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3384)

  • INFO

    • Manual execution by user

      • PETools.exe (PID: 3712)
      • explorer.exe (PID: 1696)
      • PETools.exe (PID: 1680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe petools.exe no specs searchprotocolhost.exe no specs explorer.exe no specs petools.exe no specs petools.exe

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Users\admin\Downloads\PETools.exe" C:\Users\admin\Downloads\PETools.exe
explorer.exe
User:
admin
Company:
painter and Jupiter <RnD>
Integrity Level:
HIGH
Description:
PE Tools - oldschool reverse engineering tool!
Exit code:
0
Version:
PE Tools v1.9.762
Modules
Images
c:\users\admin\downloads\petools.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1696"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2016"C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\PETools.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\PETools.exeWinRAR.exe
User:
admin
Company:
painter and Jupiter <RnD>
Integrity Level:
MEDIUM
Description:
PE Tools - oldschool reverse engineering tool!
Exit code:
0
Version:
PE Tools v1.9.762
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3384.38598\petools.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3384"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PE.Tools.v1.9.762.2018.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3712"C:\Users\admin\Downloads\PETools.exe" C:\Users\admin\Downloads\PETools.exeexplorer.exe
User:
admin
Company:
painter and Jupiter <RnD>
Integrity Level:
MEDIUM
Description:
PE Tools - oldschool reverse engineering tool!
Exit code:
0
Version:
PE Tools v1.9.762
Modules
Images
c:\users\admin\downloads\petools.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3932"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 774
Read events
1 698
Write events
75
Delete events
1

Modification events

(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PE.Tools.v1.9.762.2018.7z
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
6
Suspicious files
0
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
2016PETools.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\PETools.initext
MD5:
SHA256:
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\WhatsNew_EN.mdtext
MD5:608A7816F7E76A4B3499FE460480AEA6
SHA256:D8F08DF8D9837F7BC006D58344A4AD03FFDD4A50E63DE930C8E61337E39FEE83
3384WinRAR.exeC:\Users\admin\Downloads\Signs.txttext
MD5:847FAAC4828BFA31E27F7D963012BD25
SHA256:75BD2C90B98A2641557D61AE02313D4C4D47D35393C3C8CD31EA8F38ED7F85D0
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\petools.sha1text
MD5:22D647711A0D7E7C76F7EC7FFE150207
SHA256:5B310D7004B289D16B53FC6E4848C84B53FE5656A16231A662A64BD57E95EEC0
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\ReadMe_EN.mdtext
MD5:3ED0CFD828A52B04852264C73414F65B
SHA256:1CA2B07F9EA393C4566FAEDB1E8A1D3B2FE656FBBB821FD699F84833E725443C
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\WhatsNew_RU.mdtext
MD5:B120E55FE671EE19BBA1BEEFCD822157
SHA256:D71F48F2057BD5E7D85DC211621F883218ECE93B3568C2074549B65ED36E2EFA
3384WinRAR.exeC:\Users\admin\Downloads\WhatsNew_EN.mdtext
MD5:608A7816F7E76A4B3499FE460480AEA6
SHA256:D8F08DF8D9837F7BC006D58344A4AD03FFDD4A50E63DE930C8E61337E39FEE83
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3384.38598\RebPE.dllexecutable
MD5:EBBDB1BEF4A8FE9ADF118F5C37ACF936
SHA256:4AB5A64EB0109794E25AED020135D8A090214C0A1C298D8B44A5F08715706FA1
3384WinRAR.exeC:\Users\admin\Downloads\ReadMe_EN.mdtext
MD5:3ED0CFD828A52B04852264C73414F65B
SHA256:1CA2B07F9EA393C4566FAEDB1E8A1D3B2FE656FBBB821FD699F84833E725443C
3712PETools.exeC:\Users\admin\Downloads\PETools.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PE.Tools.v1.9.762.2018.7z