File name:

PSTools.zip

Full analysis: https://app.any.run/tasks/7aec1a4e-2701-4cb2-9939-e7240096e1b7
Verdict: Malicious activity
Analysis date: November 14, 2019, 10:17:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

970DD74FCE75C85772DC9451AF8B58AB

SHA1:

AD067399BD4A553DA391D8059B95B1BD156FBB0B

SHA256:

B9F404D4C7B6BF3A37746C66BCD014E75859D2FCF887B1DB527EC3ED2CCDEB30

SSDEEP:

98304:2NEY1OfoW3IhXEb1pObL1eD7nn0I8dEoADgh:2KYUgW3IhXEbGu7nN8dEe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PsGetsid.exe (PID: 2108)
      • PsGetsid.exe (PID: 3780)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 992)

  • INFO

    • Manual execution by user

      • PsGetsid.exe (PID: 2108)
      • cmd.exe (PID: 2144)
      • PsGetsid.exe (PID: 3780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2006:12:04 17:53:09
ZipCRC: 0xeecdb72d
ZipCompressedSize: 97181
ZipUncompressedSize: 207664
ZipFileName: psshutdown.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe psgetsid.exe no specs cmd.exe no specs psgetsid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
992"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PSTools.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2108"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3780"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
Total events
499
Read events
466
Write events
33
Delete events
0

Modification events

(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(992) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PSTools.zip
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(992) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
25
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
992WinRAR.exeC:\Users\admin\Desktop\pskill.exeexecutable
MD5:8C1772C2D124E80526642BE3FBD2E8F3
SHA256:546EC58D0134EA64611E12D7E3A867793E8CB6145AC18745349408A60FC2FABE
992WinRAR.exeC:\Users\admin\Desktop\psfile.exeexecutable
MD5:201058594991D79D5D8891DBBEEEE3C6
SHA256:9D45453285FF3B4A41056317C96866D06481751307D703E3355B18D5EEB092AD
992WinRAR.exeC:\Users\admin\Desktop\PsExec64.exeexecutable
MD5:9321C107D1F7E336CDA550A2BF049108
SHA256:AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4
992WinRAR.exeC:\Users\admin\Desktop\pssuspend64.exeexecutable
MD5:FBE9E863C6E46F75BFABA674E3BA0CDA
SHA256:E93DDD9ED564B7F6532CD5B94CDCE73067D8EBAD8A5CE9373A6F839C7050780F
992WinRAR.exeC:\Users\admin\Desktop\pslist64.exeexecutable
MD5:A285919B3737ED691E1D029E36213050
SHA256:E6901E8423DA3E54BAB25F7C90F60D3979BFA5BB61BCC46059662736253B8C72
992WinRAR.exeC:\Users\admin\Desktop\PsLoggedon.exeexecutable
MD5:E3EA271E748CCDAD6A6D3E692D6F337E
SHA256:D689CB1DBD2E4C06CD15E51A6871C406C595790DDCDCD7DC8D0401C7183720EF
992WinRAR.exeC:\Users\admin\Desktop\psfile64.exeexecutable
MD5:E52AC781C403DABE22DFA16AEF8491BE
SHA256:033B81744E0BD4219A4D698894B8403BB67B525C96049CBFEF34677D4D6FC85C
992WinRAR.exeC:\Users\admin\Desktop\psping.exeexecutable
MD5:829BF469365FE504C673D8B7BE7D3436
SHA256:C8453110682D999223A84146462B0B4FC6979F40A01B60A7B925783B71B2D6FF
992WinRAR.exeC:\Users\admin\Desktop\pskill64.exeexecutable
MD5:26EA3E520CB396587D32A7A01AA564BD
SHA256:75899C5ACE600406503A937EF550AB0BBD0F6E0188B9E93E206BEB1DFC79BB81
992WinRAR.exeC:\Users\admin\Desktop\PsService64.exeexecutable
MD5:029D745D114C0A69CF0CB12450CB7B74
SHA256:6DE3137B3088B2C2C311A540F9AAEB57E9FD38259CB18875F2380EE74EC1C7AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PSTools.zip