× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 033b81744e0bd4219a4d698894b8403bb67b525c96049cbfef34677d4d6fc85c
File name: psfile64.exe
Detection ratio: 0 / 71
Analysis date: 2019-01-29 02:21:41 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Acronis 20190128
Ad-Aware 20190129
AegisLab 20190129
AhnLab-V3 20190129
Alibaba 20180921
ALYac 20190129
Antiy-AVL 20190129
Arcabit 20190128
Avast 20190128
Avast-Mobile 20190128
AVG 20190128
Avira (no cloud) 20190129
Babable 20180918
Baidu 20190128
BitDefender 20190128
Bkav 20190125
CAT-QuickHeal 20190128
ClamAV 20190128
CMC 20190128
Comodo 20190129
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cylance 20190129
Cyren 20190128
DrWeb 20190128
eGambit 20190129
Emsisoft 20190129
Endgame 20181108
ESET-NOD32 20190128
F-Prot 20190129
F-Secure 20190129
Fortinet 20190128
GData 20190129
Ikarus 20190128
Sophos ML 20181128
Jiangmin 20190129
K7AntiVirus 20190128
K7GW 20190128
Kaspersky 20190128
Kingsoft 20190129
Malwarebytes 20190129
MAX 20190129
McAfee 20190129
McAfee-GW-Edition 20190129
Microsoft 20190128
eScan 20190129
NANO-Antivirus 20190129
Palo Alto Networks (Known Signatures) 20190129
Panda 20190128
Qihoo-360 20190129
Rising 20190128
SentinelOne (Static ML) 20190124
Sophos AV 20190128
SUPERAntiSpyware 20190123
Symantec 20190129
TACHYON 20190129
Tencent 20190129
TheHacker 20190125
TotalDefense 20190128
Trapmine 20190123
TrendMicro 20190129
TrendMicro-HouseCall 20190129
Trustlook 20190129
VBA32 20190128
VIPRE 20190128
ViRobot 20190128
Webroot 20190129
Yandex 20190125
Zillya 20190128
ZoneAlarm by Check Point 20190128
Zoner 20190128
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2001-2016 Mark Russinovich

Product Sysinternals PsFile
Original name psfile.exe
Internal name PsFile
File version 1.03
Description Lists files and directories opened remotely
Signature verification Signed file, verified signature
Signing date 7:31 PM 6/28/2016
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 05:42 PM 06/04/2015
Valid to 05:42 PM 09/04/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 08/31/2010
Valid to 10:29 PM 08/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 07:21 PM 03/30/2016
Valid to 07:21 PM 06/30/2017
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint A1F3FE643CAC735D7976F27DE33004BE9A309A87
Serial number 33 00 00 00 99 AA C5 81 9F 8C A2 7D 8A 00 00 00 00 00 99
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:53 PM 04/03/2007
Valid to 01:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine x64
Compilation timestamp 2016-06-28 18:31:38
Entry Point 0x00005A5C
Number of sections 5
PE sections
Overlays
MD5 773b09f946233565b643b23e996a0a19
File type data
Offset 152576
Size 16032
Entropy 7.43
PE imports
RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegCreateKeyW
RegOpenKeyW
RegQueryValueExW
PrintDlgW
GetLastError
ReadConsoleInputA
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetConsoleMode
LoadLibraryW
GetConsoleCP
FreeLibrary
QueryPerformanceCounter
IsDebuggerPresent
EncodePointer
TlsAlloc
GetEnvironmentStringsW
FlushFileBuffers
IsProcessorFeaturePresent
HeapAlloc
GetCurrentProcess
LoadLibraryExA
GetConsoleMode
GetStringTypeW
LocalAlloc
GetCommandLineW
RtlVirtualUnwind
WriteConsoleW
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
HeapSize
SetFilePointerEx
FreeEnvironmentStringsW
GetCPInfo
GetProcAddress
FormatMessageA
GetComputerNameW
InitializeCriticalSectionAndSpinCount
RaiseException
RtlUnwindEx
WideCharToMultiByte
GetModuleFileNameW
TlsFree
DeleteCriticalSection
ReadFile
GetCurrentThreadId
SetUnhandledExceptionFilter
WriteFile
RtlCaptureContext
CloseHandle
GetSystemTimeAsFileTime
TerminateProcess
GetACP
HeapReAlloc
DecodePointer
GetModuleHandleW
GetOEMCP
LocalFree
SetStdHandle
GetModuleHandleExW
IsValidCodePage
OutputDebugStringW
RtlLookupFunctionEntry
CreateFileW
TlsGetValue
Sleep
GetFileType
ReadConsoleW
TlsSetValue
ExitProcess
GetVersion
GetProcessHeap
GetStartupInfoW
GetCurrentProcessId
SetLastError
LeaveCriticalSection
WNetCancelConnection2W
WNetAddConnection2W
NetFileEnum
NetFileClose
NetFileGetInfo
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
SubsystemVersion
5.2

InitializedDataSize
82944

ImageVersion
0.0

ProductName
Sysinternals PsFile

FileVersionNumber
1.3.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, Large address aware

CharacterSet
Unicode

LinkerVersion
12.0

FileTypeExtension
exe

OriginalFileName
psfile.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
1.03

TimeStamp
2016:06:28 19:31:38+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
PsFile

ProductVersion
1.03

FileDescription
Lists files and directories opened remotely

OSVersion
5.2

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 2001-2016 Mark Russinovich

MachineType
AMD AMD64

CompanyName
Sysinternals

CodeSize
80384

FileSubtype
0

ProductVersionNumber
1.3.0.0

EntryPoint
0x5a5c

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Overlay parents
Compressed bundles
File identification
MD5 e52ac781c403dabe22dfa16aef8491be
SHA1 9a0fdfb801ab76eedbbd0e18430af72556a28d0d
SHA256 033b81744e0bd4219a4d698894b8403bb67b525c96049cbfef34677d4d6fc85c
ssdeep
3072:Zs4psDEHzFIE3nWTeZc2FNIJiGd3nO5UFzrUewyPsx+SUuYVIMWxEJr:C4psoFIEmTYvzIJiGVjzrSnWMur

authentihash bb9af688c15120f97bdb3b0810b307607fed29fc5ce0395a636e4af88880f99d
imphash 012373288a4a55bf933694e80d94bdb7
File size 164.7 KB ( 168608 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (82.0%)
OS/2 Executable (generic) (6.0%)
Generic Win/DOS Executable (5.9%)
DOS Executable Generic (5.9%)
Tags
64bits peexe assembly signed overlay

VirusTotal metadata
First submission 2016-06-30 18:04:44 UTC ( 2 years, 8 months ago )
Last submission 2019-01-29 02:21:41 UTC ( 1 month, 2 weeks ago )
File names psfile64.exe
psfile64.exe
psfile64.exe
psfile640.exe
033B81744E0BD4219A4D698894B8403BB67B525C96049CBFEF34677D4D6FC85C
psfile64.exe
psfile64.exe
psfile64.exe
emb3c24.tmp
psfile64-{f1e8fb84-bd45-42df-8c65-5351b63bb7ba}-v616026161.exe
psfile64.exe
psfile64.exe
psfile64.exe
psfile.exe
PsFile
tmpf293.tmp
psfile64.exe
D__C1_SysinternalsSuite_psfile64.exe
myfile.exe
ac45dbeaf427459eaea9ac1a7c84ce51-e8ff433bc3f2408c9f7b0c71195de138-73c048e98b3046d09725fc5941e642ce-f999f094c784d19dfac5691f81e9a28d.temp
psfile.exe
tmp36cc.tmp
~52361eab.tmp
psfile64.exe
psfile64.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!