File name:

PSTools.zip

Full analysis: https://app.any.run/tasks/7aec1a4e-2701-4cb2-9939-e7240096e1b7
Verdict: Malicious activity
Analysis date: November 14, 2019, 10:17:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

970DD74FCE75C85772DC9451AF8B58AB

SHA1:

AD067399BD4A553DA391D8059B95B1BD156FBB0B

SHA256:

B9F404D4C7B6BF3A37746C66BCD014E75859D2FCF887B1DB527EC3ED2CCDEB30

SSDEEP:

98304:2NEY1OfoW3IhXEb1pObL1eD7nn0I8dEoADgh:2KYUgW3IhXEbGu7nN8dEe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PsGetsid.exe (PID: 3780)
      • PsGetsid.exe (PID: 2108)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 992)

  • INFO

    • Manual execution by user

      • PsGetsid.exe (PID: 3780)
      • cmd.exe (PID: 2144)
      • PsGetsid.exe (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2006:12:04 17:53:09
ZipCRC: 0xeecdb72d
ZipCompressedSize: 97181
ZipUncompressedSize: 207664
ZipFileName: psshutdown.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe psgetsid.exe no specs cmd.exe no specs psgetsid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
992"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PSTools.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2108"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3780"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
Total events
499
Read events
466
Write events
33
Delete events
0

Modification events

(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(992) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PSTools.zip
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
25
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
992WinRAR.exeC:\Users\admin\Desktop\PsExec.exeexecutable
MD5:27304B246C7D5B4E149124D5F93C5B01
SHA256:3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF
992WinRAR.exeC:\Users\admin\Desktop\pslist64.exeexecutable
MD5:A285919B3737ED691E1D029E36213050
SHA256:E6901E8423DA3E54BAB25F7C90F60D3979BFA5BB61BCC46059662736253B8C72
992WinRAR.exeC:\Users\admin\Desktop\pskill64.exeexecutable
MD5:26EA3E520CB396587D32A7A01AA564BD
SHA256:75899C5ACE600406503A937EF550AB0BBD0F6E0188B9E93E206BEB1DFC79BB81
992WinRAR.exeC:\Users\admin\Desktop\pslist.exeexecutable
MD5:2C23D6223D4AFF81AC137B6989BCE05C
SHA256:9927831E111AC61FD7645BF7EFA1787DB1A3E85B6F64A274CA04B213DC27FD08
992WinRAR.exeC:\Users\admin\Desktop\psshutdown.exeexecutable
MD5:6AA0305AF2C055AC6C94B5D24F6CEC35
SHA256:66885C2B1773A6D02C3937E67B94B786FC64AF17A7E8BAD050BE5149092A0117
992WinRAR.exeC:\Users\admin\Desktop\pskill.exeexecutable
MD5:8C1772C2D124E80526642BE3FBD2E8F3
SHA256:546EC58D0134EA64611E12D7E3A867793E8CB6145AC18745349408A60FC2FABE
992WinRAR.exeC:\Users\admin\Desktop\PsService64.exeexecutable
MD5:029D745D114C0A69CF0CB12450CB7B74
SHA256:6DE3137B3088B2C2C311A540F9AAEB57E9FD38259CB18875F2380EE74EC1C7AF
992WinRAR.exeC:\Users\admin\Desktop\pssuspend64.exeexecutable
MD5:FBE9E863C6E46F75BFABA674E3BA0CDA
SHA256:E93DDD9ED564B7F6532CD5B94CDCE73067D8EBAD8A5CE9373A6F839C7050780F
992WinRAR.exeC:\Users\admin\Desktop\pssuspend.exeexecutable
MD5:DF3D77D41EF28027B3069D39F9EE9C79
SHA256:02EC8C37DD946A2CD74673993C2108F12FFF3E82019A1590231C4205CCB2F0D4
992WinRAR.exeC:\Users\admin\Desktop\PsExec64.exeexecutable
MD5:9321C107D1F7E336CDA550A2BF049108
SHA256:AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PSTools.zip