File name:

PSTools.zip

Full analysis: https://app.any.run/tasks/8e143b36-bbdd-454d-a469-5c51aa5a2d7b
Verdict: Malicious activity
Analysis date: November 13, 2019, 15:28:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

970DD74FCE75C85772DC9451AF8B58AB

SHA1:

AD067399BD4A553DA391D8059B95B1BD156FBB0B

SHA256:

B9F404D4C7B6BF3A37746C66BCD014E75859D2FCF887B1DB527EC3ED2CCDEB30

SSDEEP:

98304:2NEY1OfoW3IhXEb1pObL1eD7nn0I8dEoADgh:2KYUgW3IhXEbGu7nN8dEe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PsExec.exe (PID: 1248)
      • PsExec.exe (PID: 2576)
      • PsExec.exe (PID: 1796)
      • PsGetsid.exe (PID: 2708)
      • PsGetsid.exe (PID: 3992)
      • PsGetsid.exe (PID: 3136)
      • PsGetsid.exe (PID: 2524)
      • PsGetsid.exe (PID: 2752)
      • PsGetsid.exe (PID: 2504)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1212)

  • INFO

    • Manual execution by user

      • PsGetsid.exe (PID: 2708)
      • PsGetsid.exe (PID: 2524)
      • PsGetsid.exe (PID: 3992)
      • PsGetsid.exe (PID: 3136)
      • PsGetsid.exe (PID: 2752)
      • PsGetsid.exe (PID: 2504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2006:12:04 17:53:09
ZipCRC: 0xeecdb72d
ZipCompressedSize: 97181
ZipUncompressedSize: 207664
ZipFileName: psshutdown.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start winrar.exe psexec.exe no specs psexec.exe no specs psexec.exe no specs psgetsid.exe no specs psgetsid.exe no specs psgetsid.exe no specs psgetsid.exe no specs psgetsid.exe no specs psgetsid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1212"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PSTools.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1248"C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsExec.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsExec.exeWinRAR.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
4294967295
Version:
2.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1212.44118\psexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
1796"C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.46630\PsExec.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.46630\PsExec.exeWinRAR.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
4294967295
Version:
2.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1212.46630\psexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2504"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2524"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2576"C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.45166\PsExec.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1212.45166\PsExec.exeWinRAR.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Execute processes remotely
Exit code:
4294967295
Version:
2.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1212.45166\psexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2708"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
2752"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
3136"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
3992"C:\Users\admin\Desktop\PsGetsid.exe" C:\Users\admin\Desktop\PsGetsid.exeexplorer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Translates SIDs to names and vice versa
Exit code:
0
Version:
1.45
Modules
Images
c:\users\admin\desktop\psgetsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
Total events
503
Read events
473
Write events
30
Delete events
0

Modification events

(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1212) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PSTools.zip
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
100
Suspicious files
0
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\psfile64.exeexecutable
MD5:E52AC781C403DABE22DFA16AEF8491BE
SHA256:033B81744E0BD4219A4D698894B8403BB67B525C96049CBFEF34677D4D6FC85C
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsExec.exeexecutable
MD5:27304B246C7D5B4E149124D5F93C5B01
SHA256:3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsExec64.exeexecutable
MD5:9321C107D1F7E336CDA550A2BF049108
SHA256:AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\pskill64.exeexecutable
MD5:26EA3E520CB396587D32A7A01AA564BD
SHA256:75899C5ACE600406503A937EF550AB0BBD0F6E0188B9E93E206BEB1DFC79BB81
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\pslist64.exeexecutable
MD5:A285919B3737ED691E1D029E36213050
SHA256:E6901E8423DA3E54BAB25F7C90F60D3979BFA5BB61BCC46059662736253B8C72
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsService64.exeexecutable
MD5:029D745D114C0A69CF0CB12450CB7B74
SHA256:6DE3137B3088B2C2C311A540F9AAEB57E9FD38259CB18875F2380EE74EC1C7AF
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\pskill.exeexecutable
MD5:8C1772C2D124E80526642BE3FBD2E8F3
SHA256:546EC58D0134EA64611E12D7E3A867793E8CB6145AC18745349408A60FC2FABE
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsLoggedon64.exeexecutable
MD5:07ED30D2343BF8914DAAED872B681118
SHA256:FDADB6E15C52C41A31E3C22659DD490D5B616E017D1B1AA6070008CE09ED27EA
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsLoggedon.exeexecutable
MD5:E3EA271E748CCDAD6A6D3E692D6F337E
SHA256:D689CB1DBD2E4C06CD15E51A6871C406C595790DDCDCD7DC8D0401C7183720EF
1212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1212.44118\PsService.exeexecutable
MD5:02FE68328F96FEE688DA5885EB4C3CF0
SHA256:9454BA56BCB470D330559573AFBC10F6989BA46F3E656C20979DE6F92E051752
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PSTools.zip