Edit tour

Windows Analysis Report
PSKILL.EXE

Overview

General Information

Sample name:	PSKILL.EXE
Analysis ID:	1559468
MD5:	ec9bc439b375bd787ab0d6bba1ae76ab
SHA1:	98773b3e894e8c167fb2c7e7da24b21e2e7c4656
SHA256:	8d6306d1d0aaa65f41e2420d23c2035542511d7d3e9d675edf29e13aa14b9e31
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PSKILL.EXE (PID: 7444 cmdline: "C:\Users\user\Desktop\PSKILL.EXE" MD5: EC9BC439B375BD787AB0D6BBA1AE76AB)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PSKILL.EXE

ReversingLabs: Detection: 24%

Source: PSKILL.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PSKILL.EXE, ConDrv.0.dr

String found in binary or memory: http://www.sysinternals.com

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00401EB0 OpenServiceA,DeleteService,CloseServiceHandle,

0_2_00401EB0

Source: PSKILL.EXE

Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows

Source: PSKILL.EXE, 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepkill.exe vs PSKILL.EXE
Source: PSKILL.EXE	Binary or memory string: OriginalFilenamepkill.exe vs PSKILL.EXE

Source: PSKILL.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00401080 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,

0_2_00401080

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: CreateServiceA,CloseServiceHandle,

0_2_00401D40

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00401350 FindResourceA,LoadResource,SizeofResource,LockResource,

0_2_00401350

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00401D80 GetTickCount,GetTickCount,CloseServiceHandle,OpenServiceA,GetLastError,StartServiceA,GetLastError,QueryServiceStatus,QueryServiceStatus,GetTickCount,SetLastError,GetLastError,CloseServiceHandle,SetLastError,

0_2_00401D80

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03

Source: PSKILL.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PSKILL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PSKILL.EXE

ReversingLabs: Detection: 24%

Source: PSKILL.EXE

String found in binary or memory: %s -install to install the service

Source: unknown	Process created: C:\Users\user\Desktop\PSKILL.EXE "C:\Users\user\Desktop\PSKILL.EXE"
Source: C:\Users\user\Desktop\PSKILL.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\PSKILL.EXE	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\PSKILL.EXE	Section loaded: mpr.dll			Jump to behavior

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00405FB0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00405FB0

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00405AB0 push eax; ret

0_2_00405ADE

Source: C:\Users\user\Desktop\PSKILL.EXE

0_2_00401D80

Source: C:\Users\user\Desktop\PSKILL.EXE

API coverage: 7.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PSKILL.EXE

API call chain: ExitProcess graph end node

graph_0-3442

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00405FB0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00405FB0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PSKILL.EXE

Code function: 0_2_00402678 EntryPoint,GetVersion,GetCommandLineA,

0_2_00402678

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	12 Windows Service	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	2 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	12 Windows Service	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 Process Injection	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PSKILL.EXE	24%	ReversingLabs	Win32.PUA.PsKill

Source	Detection	Scanner	Label	Link
http://www.sysinternals.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sysinternals.com	PSKILL.EXE, ConDrv.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559468
Start date and time:	2024-11-20 15:22:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PSKILL.EXE
Detection:	MAL
Classification:	mal48.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .EXE Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: PSKILL.EXE

Process:	C:\Users\user\Desktop\PSKILL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.83093470585073
Encrypted:	false
SSDEEP:	6:BJ2buOqi4rK8/ic4yIkPyWTbGQQDWwOwv8udwLE915UsmbZNyjbF5QkqCC:BYBO1jIAyibGpywJ9+ENMbzy/Ix
MD5:	3C224A146EEC9316A04166F37439E1EA
SHA1:	54043C330A1507CB159577002C0C461EADDE30C1
SHA-256:	91646E02DD3C29A72229ED5C0A1A420DCB3153219D38FE9DB22D50A1F2CC6BBA
SHA-512:	F0163E28C44DF156CFC8785FE8F5F65A120FE6BB4CF1A6D12AC5BDBB0D624617ACF522C3B0D2F58749A4C6CE3E242BB36AAB03C97A0CC9DAD559ADC4B3B88BA6
Malicious:	false
Reputation:	low
Preview:	..PsKill v1.01 - local and remote process killer..Copyright (C) 2000 Mark Russinovich..http://www.sysinternals.com....PsKill terminates processes on a local or remote NT system.....Usage: C:\Users\user\Desktop\PSKILL.EXE [\\RemoteComputer [-u Username]] <process Id or name>.. -u Specifies optional user name for login to.. remote computer.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.171757012170339
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PSKILL.EXE
File size:	77'824 bytes
MD5:	ec9bc439b375bd787ab0d6bba1ae76ab
SHA1:	98773b3e894e8c167fb2c7e7da24b21e2e7c4656
SHA256:	8d6306d1d0aaa65f41e2420d23c2035542511d7d3e9d675edf29e13aa14b9e31
SHA512:	c810c9a9b57833e7d0a3ac95e89550076f2664e7097ccb5db14777d9685c3113de456aefab1dcccd48738f9d2532d8c2c4b0b733df36e0ce414024262f82fea6
SSDEEP:	768:UV3QaTJXlYDYQqIowK3vePanV3RRYVKHaSfzgJ1pR7dOXWALR80GQaFzOUuZdAtL:EgaTz3vePSkKt4pR7dOXCFzOskoB
TLSH:	A6738D2378E14033D49386F210B64F3AEB3B666103629593DF68DD762E725E0EC3A257
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H.t.H.t.H.t.3.x.J.t.....I.t...z.E.t.H.u...t...g.A.t...~.v.t...r.I.t.RichH.t.........PE..L...h..8.................`.........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402678
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3895AC68 [Mon Jan 31 15:38:16 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	aed0ac8b3cd0a7a80c4301c6ae7a3787

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00407130h
push 00404CE8h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040705Ch]
xor edx, edx
mov dl, ah
mov dword ptr [004092F8h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [004092F4h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004092F0h], ecx
shr eax, 10h
mov dword ptr [004092ECh], eax
push 00000000h
call 00007F6DD9487C7Fh
pop ecx
test eax, eax
jne 00007F6DD9487BBAh
push 0000001Ch
call 00007F6DD9487C4Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007F6DD948987Dh
call dword ptr [00407058h]
mov dword ptr [00409C60h], eax
call 00007F6DD9489F77h
mov dword ptr [0040932Ch], eax
call 00007F6DD9489D20h
call 00007F6DD9489C62h
call 00007F6DD9487A1Bh
mov eax, dword ptr [00409308h]
mov dword ptr [0040930Ch], eax
push eax
push dword ptr [00409300h]
push dword ptr [004092FCh]
call 00007F6DD9486F09h
add esp, 0Ch
mov dword ptr [ebp-1Ch], eax
push eax
call 00007F6DD9487A20h
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]
mov ecx, dword ptr [ecx]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7510	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0x8408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ab5	0x6000	78361fb1f4a9290963078cfaf684e759	False	0.5999755859375	data	6.400659887945573	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xbac	0x1000	0299e48e7c921e8fe2b65abdea7b73d0	False	0.350341796875	data	4.330211340371844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x2c84	0x2000	643b1c1beca3952e3cd025eb3c5a7834	False	0.2110595703125	data	2.53857620947545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb000	0x8408	0x9000	8743987ba72b1520b808803ccff348d5	False	0.4131673177083333	data	4.976241626539072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BINRES	0xb408	0x8000	PE32 executable (console) Intel 80386, for MS Windows	English	United States	0.45111083984375
RT_VERSION	0xb0c0	0x348	data	English	United States	0.4380952380952381

Imports

DLL	Import
MPR.dll	WNetAddConnection2A, WNetCancelConnection2A
KERNEL32.dll	SizeofResource, LoadResource, FindResourceA, ReadFile, WriteFile, LockResource, LocalFree, FormatMessageA, GetComputerNameA, GetFullPathNameA, GetCommandLineA, GetVersion, SetLastError, GetTickCount, OpenProcess, TerminateProcess, GetCurrentProcess, GetLastError, CloseHandle, GetModuleHandleA, GetProcAddress, CreateFileA, DeleteFileA, HeapFree, GetModuleFileNameA, UnhandledExceptionFilter, HeapAlloc, ExitProcess, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetConsoleMode, GetCPInfo, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, RtlUnwind, SetStdHandle, SetFilePointer, SetEndOfFile, GetACP, GetOEMCP, LoadLibraryA, LCMapStringA, LCMapStringW, ReadConsoleInputA, SetConsoleMode
ADVAPI32.dll	OpenServiceA, DeleteService, StartServiceA, QueryServiceStatus, CreateServiceA, CloseServiceHandle, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, OpenSCManagerA, ControlService

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:23:19
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\PSKILL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PSKILL.EXE"
Imagebase:	0x400000
File size:	77'824 bytes
MD5 hash:	EC9BC439B375BD787AB0D6BBA1AE76AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:23:19
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	691
Total number of Limit Nodes:	5

Executed Functions

Function 004043B4 Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 0040440D
GetFileType.KERNEL32(00000800), ref: 004044B3
GetStdHandle.KERNEL32(-000000F6), ref: 0040450C
GetFileType.KERNELBASE(00000000), ref: 0040451A
SetHandleCount.KERNEL32 ref: 00404551

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 9532bcf94b3a3487dcd9bade7914c2a715f1a918944354126a47ab1ebd079f94
Instruction ID: f8cb05146240ab982249feda2e19ae0a7c9c3d7b4ea2ff931ff9064ad45de291
Opcode Fuzzy Hash: 9532bcf94b3a3487dcd9bade7914c2a715f1a918944354126a47ab1ebd079f94
Instruction Fuzzy Hash: 485123B1A082508BD720CB28DD847667BA0BB91334F15467AE7A6FB3E1D738AC45C719

Function 00403B07 Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,00000001,00000000,?), ref: 00403BDF

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 20a7e02b5ebda6a6794e64c9d830e791b21c915b23f0b7f9e656bc89dc28ea86
Instruction ID: fe02a73a7ca682bde3b3dbe8accce367f8372b5b00b9e3fd7c2c61c28ad06572
Opcode Fuzzy Hash: 20a7e02b5ebda6a6794e64c9d830e791b21c915b23f0b7f9e656bc89dc28ea86
Instruction Fuzzy Hash: 73519072904248EFDB11CF68D984AA97FB8FB44345F2085BAE915FB291D738DA41CB18

Function 00402E79 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,00402C41,?,?,?,00000100), ref: 00402EA1
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00402C41,?,?,?,00000100), ref: 00402ED5
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,00402C41,?,?,?,00000100), ref: 00402EEF
HeapFree.KERNEL32(00000000,?,?,00000000,00402C41,?,?,?,00000100), ref: 00402F06

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 9bd1f765bd0a722b208e8cbb61cd147ef60de5ad8d9222b6a674abb743326c8a
Instruction ID: bd84e37f63ed880c743b77309c8c0e674533a123c5e6169b6a9ce7a9db56fd81
Opcode Fuzzy Hash: 9bd1f765bd0a722b208e8cbb61cd147ef60de5ad8d9222b6a674abb743326c8a
Instruction Fuzzy Hash: B6119130A082019FE7629F28EE44A627BF5FB85750720463AF151F21F2CB70AC85CB18

Function 004025C5 Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00401B5D,?,004025B0,00000000,00000000,00000000,00401B5D,000000FF), ref: 004025D5
TerminateProcess.KERNEL32(00000000,?,004025B0,00000000,00000000,00000000,00401B5D,000000FF), ref: 004025DC
ExitProcess.KERNEL32 ref: 00402656

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1af48c478d806c1296053d176dcc8b38e6707bd9b1221239aab69aa30cdc538c
Instruction ID: c0dc18c57e56d6947184c93a01701f0c898da09db24df83412d93209275a6702
Opcode Fuzzy Hash: 1af48c478d806c1296053d176dcc8b38e6707bd9b1221239aab69aa30cdc538c
Instruction Fuzzy Hash: 250184319043019AEA25AB24FF88A567BA4EB98720F60443FE581731D1DFBA6C45CB2D

Function 004027A0 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004026D6,00000000), ref: 004027B1

Part of subcall function 004027DC: HeapAlloc.KERNEL32(00000000,00000140,004027C5), ref: 004027E9

HeapDestroy.KERNEL32 ref: 004027CF

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 31ac214dfccc306396b9d60130017ad98e558440630a59d8e773d732d413b3b4
Instruction ID: c99ee5741e2403eead047afef43af505a6a40b515ae6c5ad15af79f6b13cb4f1
Opcode Fuzzy Hash: 31ac214dfccc306396b9d60130017ad98e558440630a59d8e773d732d413b3b4
Instruction Fuzzy Hash: 4EE01270A583406EEF511B31AF0D76636E49B44792F00443BB544E55E5EBB888C0DA09

Function 00402059 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(00000000,?,?,0040203D,000000E0,0040202A,?,004043C5,00000100), ref: 00402087

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a96218578892976b19cf5e7b0cd4d099e9bbd542817e036616123ff892b00967
Instruction ID: d7bfbc84909e456f25a504a36d336de05c35d6d5cb7be11f3da8a42c3989515e
Opcode Fuzzy Hash: a96218578892976b19cf5e7b0cd4d099e9bbd542817e036616123ff892b00967
Instruction Fuzzy Hash: AAE08C32C4663056EA212B24BF08BCB27549B01364F160232FE88762E1C7B42C8085CC

Non-executed Functions

Function 00401D80 Relevance: 16.6, APIs: 11, Instructions: 71
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401D8B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401D99
OpenServiceA.ADVAPI32(?,?,000F01FF,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401DAE
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,74DEE010,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...), ref: 00401DCA
GetLastError.KERNEL32(?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401DD4
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401DF7
GetTickCount.KERNEL32 ref: 00401E0B
SetLastError.KERNEL32(0000041D,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401E1B
GetLastError.KERNEL32(?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401E23
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401E32
SetLastError.KERNEL32(00000000,?,?,?,?,00401F69,00000000,?,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401E43

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Service$ErrorLast$CloseCountHandleTick$OpenQueryStartStatus
String ID:
API String ID: 539858797-0
Opcode ID: fdc83052fbb82b0cd5723025a366aecc78ff42b88ed861990adca4e8fbc0ccbb
Instruction ID: 161ad52be123b544b84dd696de7e5a15792eb8b745542392bb1a94f194e7066b
Opcode Fuzzy Hash: fdc83052fbb82b0cd5723025a366aecc78ff42b88ed861990adca4e8fbc0ccbb
Instruction Fuzzy Hash: 8C118771B042045BD710AF74ED88B6B37A8EB84315F040A76F900F23B1D638ED448B6A

Function 00405FB0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404F1D,?,Microsoft Visual C++ Runtime Library,00012010,?,00407428,?,00407478,?,?,?,Runtime Error!Program: ), ref: 00405FC2
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405FDA
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405FEB
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405FF8

Strings

GetActiveWindow, xrefs: 00405FE5
xt@, xrefs: 0040601E, 00406022
MessageBoxA, xrefs: 00405FD4
GetLastActivePopup, xrefs: 00405FED
user32.dll, xrefs: 00405FBD

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xt@
API String ID: 2238633743-2703191366
Opcode ID: 8c6ef0bbbd19ce8a6416f8212b514baaee251f74cceeab19c73cc1c2e9407019
Instruction ID: 7dc8f2f6f194a856d48f07b33265d68f146d9f98498bf94f69e7010f1b1d1390
Opcode Fuzzy Hash: 8c6ef0bbbd19ce8a6416f8212b514baaee251f74cceeab19c73cc1c2e9407019
Instruction Fuzzy Hash: DB0175316482126BCB11DFB99D8491F3EAC9AD8791315003BF901F22A2DA789C12AB69

Function 00401080 Relevance: 13.6, APIs: 9, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00401094
OpenProcessToken.ADVAPI32(00000000), ref: 0040109B
LookupPrivilegeValueA.ADVAPI32(00000000,?,00000028), ref: 004010B9

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue
String ID:
API String ID: 3639550587-0
Opcode ID: 9ef6969e7f26980ce1130020c831bdf636efae3f419ea15fbd092fe52e2bfe0e
Instruction ID: 3d8411b7e8788c00387c70f0cafc9e7d011cfc6fd331b0cfe6e35bee53c863b4
Opcode Fuzzy Hash: 9ef6969e7f26980ce1130020c831bdf636efae3f419ea15fbd092fe52e2bfe0e
Instruction Fuzzy Hash: 00316E75508341AFE700DF64D845F9BB7E8BBC8710F00492DF99893290E374E9498B66

Function 00401350 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,BINRES), ref: 0040135F
LoadResource.KERNEL32(00000000,00000000,?,00000000,?,004014CB,KILLSVC,?,?,\\%s\ADMIN$\System32\PSKLLSVC.EXE,004091CC,Connecting to %s...,004091CC,00000000), ref: 00401374
SizeofResource.KERNEL32(00000000,00000000,?,00000000,?,004014CB,KILLSVC,?,?,\\%s\ADMIN$\System32\PSKLLSVC.EXE,004091CC,Connecting to %s...,004091CC,00000000), ref: 0040137F
LockResource.KERNEL32(00000000,?,00000000,?,004014CB,KILLSVC,?,?,\\%s\ADMIN$\System32\PSKLLSVC.EXE,004091CC,Connecting to %s...,004091CC,00000000), ref: 00401388

Strings

BINRES, xrefs: 00401357

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: BINRES
API String ID: 3473537107-3442368034
Opcode ID: 8c9afdf17df62359db5e1c31e2a7582b9af924682ec850c3e7a91873a7c10f3f
Instruction ID: a6051fe255409381f7399beb655ae7156be114feed89da4ab2f1d735083ae689
Opcode Fuzzy Hash: 8c9afdf17df62359db5e1c31e2a7582b9af924682ec850c3e7a91873a7c10f3f
Instruction Fuzzy Hash: ECF0F973A4222033CA2027A56E49FDB175C9BC17B2F01007AF604B72C1C6784C0592F9

Function 00402678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0040269E

Part of subcall function 004027A0: HeapCreate.KERNELBASE(00000000,00001000,00000000,004026D6,00000000), ref: 004027B1
Part of subcall function 004027A0: HeapDestroy.KERNEL32 ref: 004027CF

GetCommandLineA.KERNEL32 ref: 004026EC

Part of subcall function 0040277C: ExitProcess.KERNEL32 ref: 00402799

Strings

H%[, xrefs: 004026F2

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID: H%[
API String ID: 1387771204-2508348913
Opcode ID: f599766d1b1d44e145219233c036588b7da7360b59692aed88370e296a90610f
Instruction ID: 6212388087ae7c7ec767b2b683c18462f54e6a2adac1905c329dd517d4f63046
Opcode Fuzzy Hash: f599766d1b1d44e145219233c036588b7da7360b59692aed88370e296a90610f
Instruction Fuzzy Hash: 28115EB4944201AFDB08AF66DE56B6A77A4EB88314F10453EF501B62E2DA7858008F5D

Function 00401EB0 Relevance: 4.5, APIs: 3, Instructions: 22serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32(004091CC,?,000F01FF,00000000,00401F1C,00000000,?,?,00000000,74DEE010,?,00401576,004091CC,PSKLLSVC,?,?), ref: 00401EC0
DeleteService.ADVAPI32(00000000,?,?,00000000,74DEE010,?,00401576,004091CC,PSKLLSVC,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401ED0
CloseServiceHandle.ADVAPI32(00000000,?,00000000,74DEE010,?,00401576,004091CC,PSKLLSVC,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401ED9

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Service$CloseDeleteHandleOpen
String ID:
API String ID: 3140641584-0
Opcode ID: d6c6173ca6352ddcf4669f07a24198a9892032197e9a880658c1c0678be54dc8
Instruction ID: f3b36d7b93a24ebb05923540355f0b221a83f92620fbb64c32fb970104f3ee35
Opcode Fuzzy Hash: d6c6173ca6352ddcf4669f07a24198a9892032197e9a880658c1c0678be54dc8
Instruction Fuzzy Hash: 2DD0123AB0926167C6215729FE08C9B3B99EFC57727010565FA45E3214CA34DC4196F6

Function 00401D40 Relevance: 3.0, APIs: 2, Instructions: 24serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32(?,00401576,00401576,000F01FF,00000010,00000003,00000001,?,00000000,00000000,00000000,00000000,00000000,00401F28,00000000,?), ref: 00401D65
CloseServiceHandle.ADVAPI32(00000000,?,00000000,74DEE010,?,00401576,004091CC,PSKLLSVC,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401D71

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Service$CloseCreateHandle
String ID:
API String ID: 1873643653-0
Opcode ID: 67d792fcb824a19280e79a79052f2feb2a4871acb1e38dad7a6bc00777bff288
Instruction ID: 9d3963973926d1bb3e6e3dc1b600fae6bd975c82e7f05f5c4027031ae78a8343
Opcode Fuzzy Hash: 67d792fcb824a19280e79a79052f2feb2a4871acb1e38dad7a6bc00777bff288
Instruction Fuzzy Hash: CBE0E2B43843017BF6308B64CC56F67329CBB88F41F904958B794FA1D0C6F9F840962A

Function 00401490 Relevance: 47.5, APIs: 9, Strings: 18, Instructions: 255
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401350: FindResourceA.KERNEL32(00000000,?,BINRES), ref: 0040135F

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004014D8
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401523
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040157D
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004015E5
GetLastError.KERNEL32 ref: 00401609
DeleteFileA.KERNEL32(?), ref: 0040163F
WriteFile.KERNEL32(00000000,?,00000114,?,00000000), ref: 00401703
ReadFile.KERNEL32(00000000,?,00000114,?,00000000), ref: 00401736
DeleteFileA.KERNEL32(?), ref: 00401818

Strings

Error communicating with pskill service on %s. The process maynot have been killed:, xrefs: 0040174A
Process %s does not exist on %s., xrefs: 004017AD
PSKLLSVC, xrefs: 00401567, 00401614, 004017ED
Starting pskill service on %s..., xrefs: 00401549
Error killing process %d on %s:, xrefs: 00401781
Connecting with pskill service on %s..., xrefs: 004015AA
KILLSVC, xrefs: 004014C1, 004014FB
Killing process %d on %s..., xrefs: 0040167E, 004016CC
\\%s\ADMIN$\System32\PSKLLSVC.EXE, xrefs: 004014B1, 0040162C, 00401805
Error communicating with pskill service on %s:, xrefs: 00401717
Could not start pskill service on %s:, xrefs: 0040158B
%%SystemRoot%%\System32\PSKLLSVC.EXE, xrefs: 00401557
Process %d does not exist on %s., xrefs: 004017C6
\\%s\pipe\pskllsvc, xrefs: 004015C0
Couldn't access %s:, xrefs: 00401516
Error killing process(es) named %s on %s:, xrefs: 00401773
Error establishing communication with pskill service on %s:, xrefs: 004015FC
Connecting to %s..., xrefs: 0040149E

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: File$ErrorLast$Delete$CreateFindReadResourceWrite
String ID: Connecting with pskill service on %s...$Could not start pskill service on %s:$Couldn't access %s:$Error communicating with pskill service on %s. The process maynot have been killed:$Error communicating with pskill service on %s:$Error establishing communication with pskill service on %s:$Error killing process %d on %s:$Error killing process(es) named %s on %s:$Killing process %d on %s...$Starting pskill service on %s...$%%SystemRoot%%\System32\PSKLLSVC.EXE$Connecting to %s...$KILLSVC$PSKLLSVC$Process %d does not exist on %s.$Process %s does not exist on %s.$\\%s\ADMIN$\System32\PSKLLSVC.EXE$\\%s\pipe\pskllsvc
API String ID: 15917885-3804626171
Opcode ID: eda43568b5c2023f067db8a3e982230301033a574bd49cda946fa1241160c18e
Instruction ID: e4bc7313c8ba762c31d6476cf70bb1eebd1929fce830ddc40762d47df717f875
Opcode Fuzzy Hash: eda43568b5c2023f067db8a3e982230301033a574bd49cda946fa1241160c18e
Instruction Fuzzy Hash: 03711AB074030377E614B7B19E4BFAB32445B81B48F54093FF985761D3E9BDA90482AE

Function 00401A80 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00401AA8
GetCommandLineA.KERNEL32 ref: 00401ACE
GetFullPathNameA.KERNEL32(?,00000104,C:\Users\user\Desktop\,?), ref: 00401B28
GetComputerNameA.KERNEL32(004096E0,?), ref: 00401BBD

Strings

C:\Users\user\Desktop\, xrefs: 00401B1D
Password: , xrefs: 00401B66
PsKill requires Windows NT or Windows 2000., xrefs: 00401AB5
%d processes named %s killed., xrefs: 00401CDC
", xrefs: 00401AFB
Unable to kill process %d:, xrefs: 00401C8D
%d processes named %s killed on %s., xrefs: 00401C05
http://www.sysinternals.com, xrefs: 00401A9B
Process %d killed., xrefs: 00401D1A
Copyright (C) 2000 Mark Russinovich, xrefs: 00401A91
PsKill v1.01 - local and remote process killer, xrefs: 00401A87
Unable to kill process %s:, xrefs: 00401C7F
Process %s killed., xrefs: 00401CFD
Process %s killed on %s., xrefs: 00401C1C
Process %d on %s killed., xrefs: 00401C3E
Process does not exist., xrefs: 00401C9F

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Name$CommandComputerFullLinePathVersion
String ID: PsKill v1.01 - local and remote process killer$%d processes named %s killed on %s.$Process %d on %s killed.$Process %s killed on %s.$"$%d processes named %s killed.$C:\Users\user\Desktop\$Copyright (C) 2000 Mark Russinovich$Password: $Process %d killed.$Process %s killed.$Process does not exist.$PsKill requires Windows NT or Windows 2000.$Unable to kill process %d:$Unable to kill process %s:$http://www.sysinternals.com
API String ID: 4136247486-1660197224
Opcode ID: 3a4a6dc2e7669f07904e35246e6886cfc4a5a2e8dfb65ed37f96eaf882920790
Instruction ID: be353d0a8527e8a242ba5437562a60b8d0b0ee47f63e22b5570bd3f0e46db53e
Opcode Fuzzy Hash: 3a4a6dc2e7669f07904e35246e6886cfc4a5a2e8dfb65ed37f96eaf882920790
Instruction Fuzzy Hash: E4512B71A042022BD714B778AE47AEB33905B80714F544A3EFD94763E2FABD990481AE

Function 00406483 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,004071B4,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004064C5
LCMapStringA.KERNEL32(00000000,00000100,004071B0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004064E1
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040652A
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00406562
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004065BA
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004065D0
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00406603
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040666B

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 01906f5aca457756e4f8ca91406d0cbddd1c1c33ef3723baf1ae6b1723aba425
Instruction ID: a4c6235f0319b0b38398b303cadb930824b71cff345c965d7893b79fa36b334b
Opcode Fuzzy Hash: 01906f5aca457756e4f8ca91406d0cbddd1c1c33ef3723baf1ae6b1723aba425
Instruction Fuzzy Hash: 0151AC31900209ABCF228F54CD45ADF7FB5FB89740F15452AF912B62A0C33A9D21DFA9

Function 00401EF0 Relevance: 13.6, APIs: 9, Instructions: 69
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(004091CC,00000000,000F003F,?,00000000,74DEE010,?,00401576,004091CC,PSKLLSVC,?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC), ref: 00401F00
GetLastError.KERNEL32(?,?,%%SystemRoot%%\System32\PSKLLSVC.EXE,Starting pskill service on %s...,004091CC,?,?,?,?,00000000), ref: 00401F35
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00401F39
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00401F40
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00000000), ref: 00401F4A
SetLastError.KERNEL32(00000000,?,?,?,?,00000000), ref: 00401F51

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: ErrorLast$CloseHandleManagerOpenService
String ID:
API String ID: 2833319856-0
Opcode ID: 49e1b2d838cd7594b2173aece4b20d1d3edb9545998dd08197dd38278d486891
Instruction ID: 10e612b9e5de9478ce74cc651d32d451a386bda6a249d20cce4741c507b34d38
Opcode Fuzzy Hash: 49e1b2d838cd7594b2173aece4b20d1d3edb9545998dd08197dd38278d486891
Instruction Fuzzy Hash: 3211C27260921567C3206BB5AD89EAF7798DFC5791F000576F701B2262CB39E90192BF

Function 00404DF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404E66
GetStdHandle.KERNEL32(000000F4,00407428,00000000,?,00000000,00000000), ref: 00404F3C
WriteFile.KERNEL32(00000000), ref: 00404F43

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00404F12
<program name unknown>, xrefs: 00404E76
..., xrefs: 00404EB8
Runtime Error!Program: , xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 1b17408e59053d0166d107f4de58e47acbf0efc0ed026df7843dabadb7ab04bd
Instruction ID: 808cf2034d31d2ea750970088a291b833a9b062823151151e589d97839312f0b
Opcode Fuzzy Hash: 1b17408e59053d0166d107f4de58e47acbf0efc0ed026df7843dabadb7ab04bd
Instruction Fuzzy Hash: B531A3B2A40208AEDF20E771CD4AF9B776CEB85304F50017BF645B61D1DA78A9418E5D

Function 00404ABE Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004026FC), ref: 00404AD9
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004026FC), ref: 00404AED
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004026FC), ref: 00404B19
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004026FC), ref: 00404B51
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004026FC), ref: 00404B73
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,004026FC), ref: 00404B8C
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004026FC), ref: 00404B9F
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404BDD

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 6635efd4d95cb5cc9f402bf2030600fefb07bf1291b1dfb1398568ba3fb58d12
Instruction ID: 8d759bca99f9a425c6819c2fd7fabbe41d994e41607390ef39a6a808310ec736
Opcode Fuzzy Hash: 6635efd4d95cb5cc9f402bf2030600fefb07bf1291b1dfb1398568ba3fb58d12
Instruction Fuzzy Hash: 6931F2F25082506FD7207FB95C84A3B7AACE6C4358711053BF742F3281EA39FC4182AA

Function 0040578D Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,004091CC,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00405939
GetFileType.KERNEL32(00000000), ref: 00405946
CloseHandle.KERNEL32(00000000), ref: 00405951
GetLastError.KERNEL32 ref: 00405957

Strings

@, xrefs: 00405970
H, xrefs: 004059A6

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 7d047f26794a0b81d31a6f3642261894af4da4bcaa3b4b053aa326d547210ee4
Instruction ID: bb51585d66876a613aed01af80f2b84899a026a0dac9c2057b0d305241cbd6e5
Opcode Fuzzy Hash: 7d047f26794a0b81d31a6f3642261894af4da4bcaa3b4b053aa326d547210ee4
Instruction Fuzzy Hash: 0E81E472904A499AEF209F58C8847AF7B64EB01324F24827BED52BA2D1C37C4955DF4E

Function 00404214 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004071B4,00000001,00000000,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?,00000000), ref: 00404253
GetStringTypeA.KERNEL32(00000000,00000001,004071B0,00000001,00000000,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?,00000000), ref: 0040426D
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?,00000000), ref: 004042A1
MultiByteToWideChar.KERNEL32(00405EAE,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?,00000000), ref: 004042D9
MultiByteToWideChar.KERNEL32(00405EAE,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?), ref: 0040432F
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00405EAE,00000001,00000020,00000100,?), ref: 00404341

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7a951d32a7a2b526d0460b374eb5b1fd9d244dbc967786ab82187f797bf24174
Instruction ID: e41ae300b624074b21fa627e9f904bce1f251b41cd15d7838ba62e04a315c286
Opcode Fuzzy Hash: 7a951d32a7a2b526d0460b374eb5b1fd9d244dbc967786ab82187f797bf24174
Instruction Fuzzy Hash: 6A416DB1A04219AFCF109F94DC85EEF7B69EB48750F10453AFA01F6290C338A9518BA9

Function 00401190 Relevance: 9.0, APIs: 6, Instructions: 26COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?,?,004012E6,?,00000000), ref: 0040119A
GetLastError.KERNEL32 ref: 004011A6
TerminateProcess.KERNEL32(00000000,00000000), ref: 004011B1
CloseHandle.KERNEL32(00000000), ref: 004011BC
GetLastError.KERNEL32 ref: 004011C2

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleOpenTerminate
String ID:
API String ID: 83288655-0
Opcode ID: 1101300497187de2f6ad2451b3423720d2c233f0acc51507ff07e4f7f7cab5ef
Instruction ID: b2f29c15d58b2b73a0811e8bc9e35613d9f078cf30ace9642155996eeb57d2b3
Opcode Fuzzy Hash: 1101300497187de2f6ad2451b3423720d2c233f0acc51507ff07e4f7f7cab5ef
Instruction Fuzzy Hash: 66E09A31E49620ABE7212B74BE0CBDB3A54EF49761F014261F645F52A0D774AC41C6AA

Function 0040680D Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f951bbfa181731ee5d66aa2471aa2d129e28a935cc114a0c7a8124ce92a2d519
Instruction ID: 3bcc1c8b18dd1474f315497da6552681cc35f693e656a85d161b9515574ab067
Opcode Fuzzy Hash: f951bbfa181731ee5d66aa2471aa2d129e28a935cc114a0c7a8124ce92a2d519
Instruction Fuzzy Hash: 15213773A04106AAEF00AB91DE45AAA3BB8EB44314F0141BBF502F62F1D335CD54CB68

Function 00401000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtQuerySystemInformation,?,00401218,00000000), ref: 0040100B
GetProcAddress.KERNEL32(00000000), ref: 00401012

Strings

ntdll.dll, xrefs: 00401006
NtQuerySystemInformation, xrefs: 00401001

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQuerySystemInformation$ntdll.dll
API String ID: 1646373207-3774135904
Opcode ID: e44b20361fc8db20989faac4f7552e58629c0f806c54ca1fb41e06f347d70bc7
Instruction ID: b3dabb8d5a83590c8b1085bd903674d4daf9b0d230342e7755a82848c5d4ed97
Opcode Fuzzy Hash: e44b20361fc8db20989faac4f7552e58629c0f806c54ca1fb41e06f347d70bc7
Instruction Fuzzy Hash: 9FF0C8B2B012407BE3101B629D4DFAB3A5CDBD1792B14003EF549F12D1EB789C44D679

Function 0040628D Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000), ref: 00406311
GetLastError.KERNEL32 ref: 0040631B
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 004063E2
GetLastError.KERNEL32 ref: 004063EC

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: dc20c8354a0b9f077d2e37c7855cd2457ab3a0f67f2cd46815a538230d9e72cf
Instruction ID: 594cd5d03c4902bb6504dd042f9b80409b9b2d2fba878b21d4fef55b099255ba
Opcode Fuzzy Hash: dc20c8354a0b9f077d2e37c7855cd2457ab3a0f67f2cd46815a538230d9e72cf
Instruction Fuzzy Hash: F961D630904286DFDB158F58D844BAA7BB1AF01314F1541BBE853BB3D2C3789966CB5E

Function 00405E0F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00405E23

Strings

, xrefs: 00405E48
, xrefs: 00405E6C

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 9cc35fe217b511eed1e994103731015ee061b8b2b5e5b419c84df181b9037b67
Instruction ID: b6d7fb98384146fe23e83d2c47050a47a1010788af2cd72c853b3fc687cf265b
Opcode Fuzzy Hash: 9cc35fe217b511eed1e994103731015ee061b8b2b5e5b419c84df181b9037b67
Instruction Fuzzy Hash: FD4126311046982EEB158754DD49BFB3BA9DB0A704F1400FAD58AF62D3C23D4E44CFAA

Function 00404871 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PSKILL.EXE,00000104,?,?,?,?,?,?,00402706), ref: 00404894

Strings

H%[, xrefs: 0040489A
C:\Users\user\Desktop\PSKILL.EXE, xrefs: 00404888, 00404892, 004048B7, 004048ED

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Users\user\Desktop\PSKILL.EXE$H%[
API String ID: 514040917-293701502
Opcode ID: 3433186f90cc1688682f1956b98dbd23c632455c5d2e024fc2b7001290256f5f
Instruction ID: b130ab54511de8fe3dffe748e45aa3d96d09eed6c06514f2c3feb5f2f9a36a38
Opcode Fuzzy Hash: 3433186f90cc1688682f1956b98dbd23c632455c5d2e024fc2b7001290256f5f
Instruction Fuzzy Hash: BE114FB6900218BFD711EFA9CDC5C9B77ACEA85358B10007AF605B7282E6745E01CBA4

Function 00401300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,00401CBD,00000000,00000000,00401CBD,00000000), ref: 0040131A
LocalFree.KERNEL32(?), ref: 00401337

Strings

%s, xrefs: 00401325

Memory Dump Source

Source File: 00000000.00000002.1664120413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1664092516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664141988.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664161309.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664181238.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PSKILL.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: %s
API String ID: 1427518018-620797490
Opcode ID: c3c08edf1868f069a35b8d74fe3e60d3d166318f84caaf4126debfdaf7d31634
Instruction ID: 45a0c86f70ab77998a5bf0c638690475f8b3158380a38e58cb444e64f67b6572
Opcode Fuzzy Hash: c3c08edf1868f069a35b8d74fe3e60d3d166318f84caaf4126debfdaf7d31634
Instruction Fuzzy Hash: 03E012B4A88300BFF600D750CE4AF6B73689B84B01F10C519B784B61C1C6B4B844C77B

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PSKILL.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: PSKILL.EXEPID: 7444, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7452, Parent PID: 7444

General

Chronological Activities

Disassembly

Analysis Process: PSKILL.EXEPID: 7444, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
PSKILL.EXE

Function 004043B4 Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Function 00403B07 Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Function 00402E79 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 004025C5 Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Function 004027A0 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 00402059 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Function 00401D80 Relevance: 16.6, APIs: 11, Instructions: 71
serviceCOMMON

Function 00405FB0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50
libraryloaderCOMMON

Function 00401080 Relevance: 13.6, APIs: 9, Instructions: 93
COMMON

Function 00401490 Relevance: 47.5, APIs: 9, Strings: 18, Instructions: 255
fileCOMMON

Function 00401A80 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 210
COMMON

Function 00406483 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Function 00401EF0 Relevance: 13.6, APIs: 9, Instructions: 69
serviceCOMMON

Function 00404DF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON