Edit tour

Windows Analysis Report
sedsvc.exe

Overview

General Information

Sample name:sedsvc.exe
Analysis ID:1399953
MD5:487dc200f8f44feadefc09a1a078a15d
SHA1:d59e50b67c53dd10521e1ba3ee0251c719c804b8
SHA256:6f9cd7bbe9af0219e56cc4980952493637c54b62edb82c310c8e03551972b879
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality to detect sleep reduction / modifications
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample is a service DLL but no service has been registered
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
  • System is w10x64
  • sedsvc.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\sedsvc.exe" -install MD5: 487DC200F8F44FEADEFC09A1A078A15D)
  • sedsvc.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\sedsvc.exe" /install MD5: 487DC200F8F44FEADEFC09A1A078A15D)
  • sedsvc.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\sedsvc.exe" /load MD5: 487DC200F8F44FEADEFC09A1A078A15D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: sedsvc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: sedsvc.pdbGCTL source: sedsvc.exe
Source: Binary string: sedsvc.pdb source: sedsvc.exe
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EBEF8 OpenSCManagerW,OpenServiceW,ControlService,Sleep,Sleep,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00007FF68C4EBEF8
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EEB900_2_00007FF68C4EEB90
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4F17840_2_00007FF68C4F1784
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E6DB40_2_00007FF68C4E6DB4
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E75400_2_00007FF68C4E7540
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E97700_2_00007FF68C4E9770
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E63700_2_00007FF68C4E6370
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4F742C0_2_00007FF68C4F742C
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EA8280_2_00007FF68C4EA828
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4F44240_2_00007FF68C4F4424
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E87B80_2_00007FF68C4E87B8
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EAAA40_2_00007FF68C4EAAA4
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E9F080_2_00007FF68C4E9F08
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E94B80_2_00007FF68C4E94B8
Source: C:\Users\user\Desktop\sedsvc.exeCode function: String function: 00007FF68C4E8D28 appears 266 times
Source: C:\Users\user\Desktop\sedsvc.exeCode function: String function: 00007FF68C4E8454 appears 46 times
Source: sedsvc.exe, 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesedsvcj% vs sedsvc.exe
Source: sedsvc.exe, 00000001.00000000.1641895927.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesedsvcj% vs sedsvc.exe
Source: sedsvc.exe, 00000002.00000002.2917462712.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesedsvcj% vs sedsvc.exe
Source: sedsvc.exeBinary or memory string: OriginalFilenamesedsvcj% vs sedsvc.exe
Source: classification engineClassification label: sus24.evad.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\sedsvc.exeCode function: GetModuleFileNameW,OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,0_2_00007FF68C4EBE10
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E7540 CoInitializeEx,GetVersionExW,GetLastError,QueueUserWorkItem,StartServiceCtrlDispatcherW,CoUninitialize,0_2_00007FF68C4E7540
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E7540 CoInitializeEx,GetVersionExW,GetLastError,QueueUserWorkItem,StartServiceCtrlDispatcherW,CoUninitialize,0_2_00007FF68C4E7540
Source: sedsvc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sedsvc.exeString found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: sedsvc.exeString found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: sedsvc.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: sedsvc.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: unknownProcess created: C:\Users\user\Desktop\sedsvc.exe "C:\Users\user\Desktop\sedsvc.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\sedsvc.exe "C:\Users\user\Desktop\sedsvc.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\sedsvc.exe "C:\Users\user\Desktop\sedsvc.exe" /load
Source: sedsvc.exeStatic PE information: Image base 0x7ff68c4e0000 > 0x60000000
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sedsvc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: sedsvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sedsvc.pdbGCTL source: sedsvc.exe
Source: Binary string: sedsvc.pdb source: sedsvc.exe
Source: sedsvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sedsvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sedsvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sedsvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sedsvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E6DB4 CoInitializeEx,WTSEnumerateProcessesW,lstrcmpiW,WTSFreeMemory,GetModuleFileNameW,PathCchRemoveFileSpec,LoadLibraryW,GetProcAddress,GetCurrentProcess,K32GetProcessMemoryInfo,CloseHandle,GetLocalTime,Sleep,GetLocalTime,SetEvent,GetLastError,CoUninitialize,FreeLibrary,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_00007FF68C4E6DB4
Source: sedsvc.exeStatic PE information: real checksum: 0x5b993 should be: 0x5fa2a
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E7540 CoInitializeEx,GetVersionExW,GetLastError,QueueUserWorkItem,StartServiceCtrlDispatcherW,CoUninitialize,0_2_00007FF68C4E7540

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E6DB40_2_00007FF68C4E6DB4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E6DB4 CoInitializeEx,WTSEnumerateProcessesW,lstrcmpiW,WTSFreeMemory,GetModuleFileNameW,PathCchRemoveFileSpec,LoadLibraryW,GetProcAddress,GetCurrentProcess,K32GetProcessMemoryInfo,CloseHandle,GetLocalTime,Sleep,GetLocalTime,SetEvent,GetLastError,CoUninitialize,FreeLibrary,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_00007FF68C4E6DB4
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EEB90 GetProcessHeap,HeapAlloc,HeapFree,0_2_00007FF68C4EEB90
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4EFB88 RegOpenKeyExW,RegCloseKey,RegGetValueW,GetSystemTimeAsFileTime,0_2_00007FF68C4EFB88
Source: C:\Users\user\Desktop\sedsvc.exeCode function: 0_2_00007FF68C4E7540 CoInitializeEx,GetVersionExW,GetLastError,QueueUserWorkItem,StartServiceCtrlDispatcherW,CoUninitialize,0_2_00007FF68C4E7540
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
14
Windows Service
14
Windows Service
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Service Execution
Boot or Logon Initialization Scripts1
Process Injection
1
Process Injection
LSASS Memory11
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS2
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1399953 Sample: sedsvc.exe Startdate: 28/02/2024 Architecture: WINDOWS Score: 24 4 sedsvc.exe 2->4         started        7 sedsvc.exe 2->7         started        9 sedsvc.exe 2->9         started        signatures3 11 Contains functionality to detect sleep reduction / modifications 4->11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
sedsvc.exe3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1399953
Start date and time:2024-02-28 00:17:52 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:sedsvc.exe
Detection:SUS
Classification:sus24.evad.winEXE@3/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 70
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target sedsvc.exe, PID 7656 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: sedsvc.exe
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):3.289700061427691
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:sedsvc.exe
File size:350'208 bytes
MD5:487dc200f8f44feadefc09a1a078a15d
SHA1:d59e50b67c53dd10521e1ba3ee0251c719c804b8
SHA256:6f9cd7bbe9af0219e56cc4980952493637c54b62edb82c310c8e03551972b879
SHA512:76ba0441b2a5c975c276e20671779ae70cdc3ca4a27dfb378935745b2dce39a074b7c6ee2e69c6427b1196d30d6170058dcff2db4520123fccaecc3227ac3ea6
SSDEEP:3072:kPznCopBwo/twN6MaeiC2tQO/Mm6Sas4ZccDHd6inGaKW:WpBhwN6yf2iAMfSasJFin
TLSH:8D74F5292AD91479E473E179CFEAC10AD277B4555732D3AF1260064F0F23AA1FA39B31
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$..M$..M$..MK..L4..M-.NM...M$..M...MK..L(..MK..L'..MK..L...MK..Le..MK. M&..MK."M%..MK..L%..MRich$..M........PE..d......0...
Icon Hash:90cececece8e8eb0
Entrypoint:0x7ff68c4fc530
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x7ff68c4e0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x308DA80F [Wed Oct 25 02:59:27 1995 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:90d7cf86b3069ff3464f6c9fd27d8383
Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:
      Instruction
      dec eax
      sub esp, 28h
      call 00007FF860C05778h
      dec eax
      add esp, 28h
      jmp 00007FF860C04E6Fh
      int3
      int3
      jmp 00007FF860C05EC6h
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      nop word ptr [eax+eax+00000000h]
      dec eax
      cmp ecx, dword ptr [00017109h]
      jne 00007FF860C05015h
      dec eax
      rol ecx, 10h
      test cx, FFFFh
      jne 00007FF860C05005h
      ret
      dec eax
      ror ecx, 10h
      jmp 00007FF860C05074h
      int3
      int3
      int3
      inc eax
      push ebx
      dec eax
      sub esp, 20h
      dec eax
      mov ebx, ecx
      call dword ptr [00004B65h]
      mov ecx, 00000001h
      mov dword ptr [000176D2h], eax
      call 00007FF860C05802h
      xor ecx, ecx
      call dword ptr [00004B6Dh]
      dec eax
      mov ecx, ebx
      call dword ptr [00004B54h]
      cmp dword ptr [000176B5h], 00000000h
      jne 00007FF860C0500Ch
      mov ecx, 00000001h
      call 00007FF860C057DEh
      call dword ptr [00004CD3h]
      dec eax
      mov ecx, eax
      mov edx, C0000409h
      dec eax
      add esp, 20h
      pop ebx
      dec eax
      jmp dword ptr [00004CB7h]
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      dec eax
      mov dword ptr [esp+08h], ecx
      dec eax
      sub esp, 00000000h
      Programming Language:
      • [IMP] VS2008 SP1 build 30729
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x301200x460.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x21440.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x350000x17dc.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x558000x2138.rsrc
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x590000x3a8.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x297400x54.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20e300x100.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20f300x9a0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1ed5e0x1ee00ecafe167dd3d36818f992de1db4ce70aFalse0.42864372469635625data5.510939022947836IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x200000x12a140x12c00fe7077f25e030770564036a3cbdf82f5False0.18850260416666667data3.0693227792363458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x330000x1a000x800c99a74c555371a433d121f551d6c6398False0.01123046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0x350000x17dc0x1800ff1ce2018aa17fe600fca636b126dbe4False0.004557291666666667data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x370000x214400x216001347aa62f94214b863c2b196fd070d22False0.019370318352059924data0.3944297279678959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x590000x3a80x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountryZLIB Complexity
      XML0x547900x938dataEnglishUnited States0.01059322033898305
      XML0x558e80x63edataEnglishUnited States0.013141426783479349
      XML0x550c80x81adataEnglishUnited States0.011571841851494697
      XML0x567180x68adataEnglishUnited States0.013142174432497013
      XML0x420480x66ddataEnglishUnited States0.01276595744680851
      XML0x46b780x66ddataEnglishUnited States0.01276595744680851
      XML0x4b7800x66ddataEnglishUnited States0.01276595744680851
      XML0x503d80x66ddataEnglishUnited States0.01276595744680851
      XML0x38a400x66dUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.3781155015197568
      XML0x3d5180x66ddataEnglishUnited States0.01276595744680851
      XML0x57cf00x750dataEnglishUnited States0.012286324786324786
      XML0x426b80x75edataEnglishUnited States0.012195121951219513
      XML0x471e80x75edataEnglishUnited States0.012195121951219513
      XML0x4bdf00x75edataEnglishUnited States0.012195121951219513
      XML0x50a480x75edataEnglishUnited States0.012195121951219513
      XML0x390b00x75edataEnglishUnited States0.012195121951219513
      XML0x3db880x75edataEnglishUnited States0.012195121951219513
      XML0x463c00x7b8dataEnglishUnited States0.011639676113360324
      XML0x4afc80x7b8dataEnglishUnited States0.011639676113360324
      XML0x4fc200x7b8dataEnglishUnited States0.011639676113360324
      XML0x53fd80x7b8dataEnglishUnited States0.011639676113360324
      XML0x3cd600x7b8dataEnglishUnited States0.011639676113360324
      XML0x418900x7b8dataEnglishUnited States0.011639676113360324
      XML0x55f280x7eadataEnglishUnited States0.011352418558736426
      XML0x56da80x768dataEnglishUnited States0.012130801687763712
      XML0x437400x88fdataEnglishUnited States0.011410314924691922
      XML0x482700x88fdataEnglishUnited States0.011410314924691922
      XML0x4ce780x88fdataEnglishUnited States0.011410314924691922
      XML0x3a1380x890dataEnglishUnited States0.011405109489051095
      XML0x3ec100x88fdataEnglishUnited States0.011410314924691922
      XML0x42e180x927dataEnglishUnited States0.010670081092616303
      XML0x479480x927dataEnglishUnited States0.010670081092616303
      XML0x4c5500x927dataEnglishUnited States0.010670081092616303
      XML0x511a80x927dataEnglishUnited States0.010670081092616303
      XML0x398100x927dataEnglishUnited States0.010670081092616303
      XML0x3e2e80x927dataEnglishUnited States0.010670081092616303
      XML0x43fd00x7e9dataEnglishUnited States0.011358024691358024
      XML0x48b000x7e9dataEnglishUnited States0.011358024691358024
      XML0x4d7080x7e9dataEnglishUnited States0.011358024691358024
      XML0x51ad00x7e9dataEnglishUnited States0.011358024691358024
      XML0x3a9c80x7e9dataEnglishUnited States0.011358024691358024
      XML0x3f4a00x7e9dataEnglishUnited States0.011358024691358024
      XML0x447c00xa35dataEnglishUnited States0.009567546880979716
      XML0x492f00xb0ddataEnglishUnited States0.008837044892188053
      XML0x4def80xb9fdataEnglishUnited States0.008739495798319327
      XML0x522c00xb4bdataEnglishUnited States0.008993427879626427
      XML0x3b1b80xa2fdataEnglishUnited States0.009589566551591868
      XML0x3fc900xa35dataEnglishUnited States0.009567546880979716
      XML0x575100x7dddataEnglishUnited States0.011425732737208148
      XML0x451f80x79fdataEnglishUnited States0.011788826242952332
      XML0x49e000x79fdataEnglishUnited States0.011788826242952332
      XML0x4ea980x79fdataEnglishUnited States0.011788826242952332
      XML0x52e100x79fdataEnglishUnited States0.011788826242952332
      XML0x3bbe80x79fdataEnglishUnited States0.011788826242952332
      XML0x406c80x79fdataEnglishUnited States0.011788826242952332
      XML0x459980xa28dataEnglishUnited States0.009615384615384616
      XML0x4a5a00xa28dataEnglishUnited States0.009615384615384616
      XML0x4f2380x9e1dataEnglishUnited States0.009885330170027679
      XML0x535b00xa26dataEnglishUnited States0.00962278675904542
      XML0x3c3880x9d1dataEnglishUnited States0.009948269001193792
      XML0x40e680xa26dataEnglishUnited States0.00962278675904542
      RT_VERSION0x386d00x36cdataEnglishUnited States0.4589041095890411
      DLLImport
      api-ms-win-crt-locale-l1-1-0.dll_lock_locales, _unlock_locales
      api-ms-win-crt-string-l1-1-0.dll__strncnt, memset
      api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback
      api-ms-win-crt-private-l1-1-0.dll_o__lock_file, _o__malloc_base, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__unlock_file, _o__wcsicmp, _o__wcsupr_s, _o__wtoi, _o_abort, _o_exit, _o_fclose, _o_fflush, _o_fgetc, _o_fgetpos, _o_fputc, _o_free, _o_fsetpos, _o_fwrite, _o_islower, _o_isupper, _o_malloc, _o_realloc, _o_setlocale, _o_setvbuf, _o_terminate, _o_ungetc, _o_wcstok_s, _o_wcstoul, __uncaught_exception, __C_specific_handler, _CxxThrowException, _o__invalid_parameter_noinfo_noreturn, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__get_stream_buffer_pointers, _o__get_initial_wide_environment, _o__fseeki64, _o__free_base, _o__exit, wcsstr, _o__errno, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__calloc_base, _o__callnewh, _o___stdio_common_vswscanf, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___stdio_common_vfwprintf, _o___stdio_common_vfprintf, _o___std_exception_destroy, _o___std_exception_copy, _o___pctype_func, _o___p__commode, _o___p___wargv, _o___p___argc, _o___acrt_iob_func, _o____lc_locale_name_func, _o____lc_codepage_func, wcschr, memmove, __CxxFrameHandler3, memcmp, _o__wcsdup, memcpy
      api-ms-win-core-file-l1-1-0.dllGetFileSize, GetFileAttributesW, DeleteFileW, WriteFile, CreateDirectoryW, GetTempFileNameW, CreateFileW
      api-ms-win-core-libraryloader-l1-1-0.dllGetModuleFileNameW, FreeLibrary, GetProcAddress, GetModuleHandleExW, GetModuleFileNameA, GetModuleHandleW
      api-ms-win-core-synch-l1-2-0.dllInitOnceBeginInitialize, Sleep, InitOnceExecuteOnce, InitOnceComplete
      api-ms-win-eventing-controller-l1-1-0.dllEnableTraceEx2, StartTraceW, ControlTraceW
      api-ms-win-core-registry-l1-1-0.dllRegCreateKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumValueW, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegGetValueW, RegCloseKey
      api-ms-win-core-synch-l1-1-0.dllDeleteCriticalSection, AcquireSRWLockExclusive, ReleaseSRWLockShared, InitializeCriticalSectionEx, LeaveCriticalSection, CreateMutexW, CreateMutexExW, CreateEventExW, WaitForSingleObject, CreateSemaphoreExW, AcquireSRWLockShared, ReleaseSRWLockExclusive, ReleaseSemaphore, ReleaseMutex, SetEvent, OpenSemaphoreW, CreateEventW, WaitForSingleObjectEx, InitializeSRWLock
      api-ms-win-core-heap-l1-1-0.dllHeapFree, GetProcessHeap, HeapAlloc
      api-ms-win-core-errorhandling-l1-1-0.dllUnhandledExceptionFilter, SetLastError, SetUnhandledExceptionFilter, RaiseException, GetLastError
      api-ms-win-core-processthreads-l1-1-0.dllGetCurrentThreadId, TerminateProcess, GetCurrentProcess, GetCurrentProcessId
      api-ms-win-security-sddl-l1-1-0.dllConvertStringSecurityDescriptorToSecurityDescriptorW
      api-ms-win-core-com-l1-1-0.dllCoGetApartmentType, CoWaitForMultipleHandles, CoTaskMemAlloc, CoCreateGuid, CoUninitialize, CLSIDFromString, CoInitializeEx, CoCreateFreeThreadedMarshaler, CoTaskMemFree, CoTaskMemRealloc
      api-ms-win-eventing-legacy-l1-1-0.dllQueryTraceW
      api-ms-win-service-core-l1-1-0.dllStartServiceCtrlDispatcherW, SetServiceStatus
      api-ms-win-eventing-provider-l1-1-0.dllEventWriteTransfer, EventSetInformation, EventRegister, EventUnregister
      api-ms-win-core-shlwapi-legacy-l1-1-0.dllPathFileExistsW, PathRemoveFileSpecW
      api-ms-win-core-heap-obsolete-l1-1-0.dllLocalFree, LocalAlloc, GlobalFree
      api-ms-win-core-sysinfo-l1-1-0.dllGetSystemDirectoryW, GetLocalTime, GetVersionExW, GetSystemTimeAsFileTime
      api-ms-win-core-threadpool-legacy-l1-1-0.dllQueueUserWorkItem
      api-ms-win-core-localization-l1-2-0.dllFormatMessageW, LCMapStringEx, GetUserDefaultLocaleName
      api-ms-win-service-winsvc-l1-1-0.dllRegisterServiceCtrlHandlerW, ControlService, QueryServiceStatus
      api-ms-win-core-debug-l1-1-0.dllDebugBreak, OutputDebugStringW, IsDebuggerPresent
      api-ms-win-core-psapi-l1-1-0.dllK32GetProcessMemoryInfo
      api-ms-win-core-handle-l1-1-0.dllCloseHandle
      api-ms-win-core-kernel32-legacy-l1-1-0.dllLoadLibraryW, MoveFileW
      OLEAUT32.dllVariantClear
      api-ms-win-core-path-l1-1-0.dllPathCchRemoveFileSpec, PathCchCombine
      CRYPT32.dllCertGetCertificateChain, CertFreeCertificateContext, CertFreeCertificateChain, CertVerifyCertificateChainPolicy, CryptStringToBinaryW
      api-ms-win-service-management-l1-1-0.dllCreateServiceW, OpenServiceW, DeleteService, OpenSCManagerW, CloseServiceHandle
      api-ms-win-core-string-l1-1-0.dllWideCharToMultiByte, MultiByteToWideChar
      api-ms-win-core-util-l1-1-0.dllEncodePointer, DecodePointer
      api-ms-win-core-rtlsupport-l1-1-0.dllRtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry
      api-ms-win-core-processthreads-l1-1-1.dllIsProcessorFeaturePresent
      api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
      api-ms-win-core-interlocked-l1-1-0.dllInitializeSListHead
      api-ms-win-core-memory-l1-1-0.dllMapViewOfFile, CreateFileMappingW, UnmapViewOfFile
      WINHTTP.dllWinHttpReadData, WinHttpSetTimeouts, WinHttpOpenRequest, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpCloseHandle, WinHttpSendRequest, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpConnect
      api-ms-win-core-version-l1-1-0.dllVerQueryValueW
      api-ms-win-core-sysinfo-l1-2-0.dllGetProductInfo
      ntdll.dllRtlConvertDeviceFamilyInfoToString
      api-ms-win-core-string-obsolete-l1-1-0.dlllstrcmpiW
      api-ms-win-core-registry-l2-1-0.dllRegSetKeyValueW
      CRYPTSP.dllCryptHashData, CryptGetHashParam, CryptDestroyHash, CryptReleaseContext, CryptCreateHash, CryptAcquireContextW
      api-ms-win-core-file-l1-2-0.dllGetTempPathW
      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW
      WTSAPI32.dllWTSEnumerateProcessesW, WTSFreeMemory
      api-ms-win-core-winrt-string-l1-1-0.dllWindowsDeleteString, WindowsGetStringRawBuffer, WindowsCreateString, WindowsCreateStringReference
      api-ms-win-core-winrt-l1-1-0.dllRoActivateInstance, RoGetActivationFactory
      api-ms-win-core-winrt-error-l1-1-0.dllRoOriginateError, RoTransformError
      WINTRUST.dllWTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain
      WININET.dllInternetOpenUrlW, InternetOpenW, HttpQueryInfoW, InternetReadFile, InternetCloseHandle
      ext-ms-win-setupapi-classinstallers-l1-1-2.dllSetupIterateCabinetW
      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      No network behavior found
      050100s020406080100

      Click to jump to process

      050100s0.000.5011.5MB

      Click to jump to process

      All data are 0.

      Target ID:0
      Start time:00:18:37
      Start date:28/02/2024
      Path:C:\Users\user\Desktop\sedsvc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\sedsvc.exe" -install
      Imagebase:0x7ff68c4e0000
      File size:350'208 bytes
      MD5 hash:487DC200F8F44FEADEFC09A1A078A15D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Target ID:1
      Start time:00:18:39
      Start date:28/02/2024
      Path:C:\Users\user\Desktop\sedsvc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\sedsvc.exe" /install
      Imagebase:0x7ff68c4e0000
      File size:350'208 bytes
      MD5 hash:487DC200F8F44FEADEFC09A1A078A15D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Target ID:2
      Start time:00:18:41
      Start date:28/02/2024
      Path:C:\Users\user\Desktop\sedsvc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\sedsvc.exe" /load
      Imagebase:0x7ff68c4e0000
      File size:350'208 bytes
      MD5 hash:487DC200F8F44FEADEFC09A1A078A15D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Non-executed Functions

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Free$Task$FileLibraryLocalMemoryProcessTime$AddressCloseCurrentEnumerateErrorEventHandleInfoInitializeLastLoadModuleNamePathProcProcessesRemoveSleepSpecUninitializelstrcmpi
      • String ID: Current bytes %lli exceeds maximum$Current memory bytes %lli$ExecuteEventDrivenRemediations$ExecuteLegacyRemediations$ExecuteModel$Failed to delete iteration counts$Failed to update the plugins payload$Result of ExecuteEventDrivenRemediations: HR = 0x%08x$Result of ExecuteLegacyRemediations: HR = 0x%08x$Result of initializing onesettings: HR = 0x%08x$Sediment pack service is stopping - exiting shell iteration loop$The number of elapsed minutes %d has exceeded the delayIntervalMinutes$Waited specified delay of %d minutes$reminthndlers.dll$sedlauncher.exe
      • API String ID: 3167106207-725419920
      • Opcode ID: 914e40dda2eded3fb5179be4c3762941c5c6ae44bf2e7262818329da87e78902
      • Instruction ID: e81e7038d08273e4d67d8f4b8975ef26347c0ea069ef0a67ae7a18a8b9e48046
      • Opcode Fuzzy Hash: 914e40dda2eded3fb5179be4c3762941c5c6ae44bf2e7262818329da87e78902
      • Instruction Fuzzy Hash: 0B226E32A18A82D5EB20DF35D8502FD23A1FF94798F510139EA4EC7AA9DF78E595C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Task$AllocFree$Realloc$InfoValue$ConvertDefaultDeviceFamilyLocaleNameProductStringUser
      • String ID: %M.%m.%ls$%lu$%u.%u.%u.%u$BuildLabEx$MachineId$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion
      • API String ID: 1686732819-2247347302
      • Opcode ID: 303c0716fd668fd1b6b1482a54cff39602e1793885d8660345663e8bd1d7a425
      • Instruction ID: 0cd93f241b1f5bd3240bcf813488f472d99bd23e3ccb1d0bbe4b851fc5ad2183
      • Opcode Fuzzy Hash: 303c0716fd668fd1b6b1482a54cff39602e1793885d8660345663e8bd1d7a425
      • Instruction Fuzzy Hash: 99C19E32A19B42C6EB10DF61E4502AA73A1FF85B98F404139DE8E83798EF7DE595C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$Mutex$CloseHandleRelease$FreeHeapObjectProcessSingleWait$CreateCurrentTask_o__invalid_parameter_noinfo_noreturn
      • String ID: Local\SM0:%d:%d:%hs$wil$x
      • API String ID: 679831377-630742106
      • Opcode ID: a47e420c05a303a074e2eb56c6db94a8a80ed8a915478781965cde63109cac7c
      • Instruction ID: d0b5e35a06c011603abb27d89500ec0096f008e928ffbfe5633b580efd99cb79
      • Opcode Fuzzy Hash: a47e420c05a303a074e2eb56c6db94a8a80ed8a915478781965cde63109cac7c
      • Instruction Fuzzy Hash: FDC1D321A08A42C6FB24DF62E84437A67A0FF84BA8F158139DA5EC77D5DE7CE495C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: File$Heap$Attributes$FreeProcess$DeleteErrorLast$ModuleMoveNamePathRemoveSpec
      • String ID: %s\%s.%03d.etl$Logs$ServiceRemediation
      • API String ID: 3141124059-1307619318
      • Opcode ID: bbafc91281fd934a9f037581e5c3606ae84510d77d565afd11c3dd2d37b55b8c
      • Instruction ID: 7512e8e88a6c364c5ee84f17e63e5df224c673dcdd38927cbecc242912617859
      • Opcode Fuzzy Hash: bbafc91281fd934a9f037581e5c3606ae84510d77d565afd11c3dd2d37b55b8c
      • Instruction Fuzzy Hash: 06A16E32A18A42C2FB54EB65E8801BA67A0FF947A8F45053DEA4EC76D5DF7CE485C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Time$CloseFileOpenSystemValue
      • String ID: OneSettings GetCloudSettings failed$OneSettings IsTimeToRequery failed$OneSettings OpenWebRequest failed$OneSettings UpdateNextRefreshTime failed$OneSettings requery is TRUE$RefreshAfter$Software\Microsoft\OneSettings\Offline
      • API String ID: 3834218317-1517252912
      • Opcode ID: 424d980c6470a6a2f9324161f82c22f53e8fd0ddb77e9792fcf0bfcd717f4305
      • Instruction ID: 1ed33be2eb75a2971a4431b790eab44eb9220faa3b373593abb4c2b9bb2d96cb
      • Opcode Fuzzy Hash: 424d980c6470a6a2f9324161f82c22f53e8fd0ddb77e9792fcf0bfcd717f4305
      • Instruction Fuzzy Hash: 92518E72A09A42CAFB24DB35A4403B926A1FF487ACF510039DE4EC7695EF7CE485C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4E757E
      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF68C4E760E
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E7618
      • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4E76DC
        • Part of subcall function 00007FF68C4E9770: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4E97F6
        • Part of subcall function 00007FF68C4E9770: PathRemoveFileSpecW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF68C4E9804
        • Part of subcall function 00007FF68C4E9770: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E980E
        • Part of subcall function 00007FF68C4E9770: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4E9A6B
        • Part of subcall function 00007FF68C4E9770: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4E9A79
        • Part of subcall function 00007FF68C4E9770: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4E9A9D
        • Part of subcall function 00007FF68C4E9770: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4E9AAB
      • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00007FF68C4E7683
        • Part of subcall function 00007FF68C4E8198: ControlTraceW.API-MS-WIN-EVENTING-CONTROLLER-L1-1-0(?,?,?,00007FF68C4E96EC), ref: 00007FF68C4E81B9
      • StartServiceCtrlDispatcherW.API-MS-WIN-SERVICE-CORE-L1-1-0 ref: 00007FF68C4E76CF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$ErrorFileFreeLastProcess$ControlCtrlDispatcherInitializeItemModuleNamePathQueueRemoveServiceSpecStartTraceUninitializeUserVersionWork
      • String ID: Failed to query for device build number$OS Version: %lu$OS Version: %lu therefore the service will not run$Press any key to exit console$Sediment service started
      • API String ID: 1530874975-1461717922
      • Opcode ID: 15ad75fb49450cf305eb60375cc05b18f6ef89f6f5b6d025d8f169c293c8d7cb
      • Instruction ID: c97d11b116629a033f29aedbd02790e712085518fcc3ab97f1911bf4bdad9a34
      • Opcode Fuzzy Hash: 15ad75fb49450cf305eb60375cc05b18f6ef89f6f5b6d025d8f169c293c8d7cb
      • Instruction Fuzzy Hash: 7541B132A1CA42C1EB20EB25E8512BA63A0BF44778F91413DEA5EC76E1DF7DE494C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Service$CloseHandleOpenSleep$ControlDeleteManagerQueryStatus
      • String ID: Windows Remediation Service
      • API String ID: 3991318313-1189207328
      • Opcode ID: ef17ca3a1322b0c6579e44cf5e8d003d18a9981cb65f3b0501305ac56b59e60b
      • Instruction ID: d8d3cfb96fccf232ab4d980b2a003cfe7310e550023773917c5b69818c9e0355
      • Opcode Fuzzy Hash: ef17ca3a1322b0c6579e44cf5e8d003d18a9981cb65f3b0501305ac56b59e60b
      • Instruction Fuzzy Hash: DE212C31A08B42C2EF14DB25A55827A62E1FF45B98F45413CDA4EC7354DE3CE558CB42
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$CloseHandleProcess$AllocEventFreeUnregister
      • String ID: _p0$wil
      • API String ID: 3299832310-1814513734
      • Opcode ID: 0b7e3bc20fb964c096eaba48214b78bded9b8870fab1db7862ba3176a9de9605
      • Instruction ID: 3df1079ca61448f0a497b51f75804ef857bccbf1cb5926714c74537a1a08231f
      • Opcode Fuzzy Hash: 0b7e3bc20fb964c096eaba48214b78bded9b8870fab1db7862ba3176a9de9605
      • Instruction Fuzzy Hash: 0781C232A18B82C2EB21DF62D8103AA6761FF88B98F558039DE4D87B59DF7DD581C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Trace$FreeProcess$AllocEnableLocalQueryStart
      • String ID: Microsoft.Windows.SedimentService
      • API String ID: 1150542188-1844961803
      • Opcode ID: 18c101b18a74933f1f0b72a7308e75d85afdc320de27b7fe1676cdeeafed3756
      • Instruction ID: 86890ec75cb2592e5548b6002d6aeb01328e00d43ae87280b577a9566d6083ee
      • Opcode Fuzzy Hash: 18c101b18a74933f1f0b72a7308e75d85afdc320de27b7fe1676cdeeafed3756
      • Instruction Fuzzy Hash: 98819A72E08A13C6EF14DF6994142B926A1BF54BA8F46013EDA0DDB791DF3DE880C781
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID:
      • String ID: %u.%u.%u.%u$2021.1B$SedimentPackSelfUpdater
      • API String ID: 0-4275566865
      • Opcode ID: d7043883830c66e661f9bc847f53e8b113e379eb572e6272626b580d49ddb877
      • Instruction ID: b0705efa134bb52849f7970fde835924916d59a637512b1973f6d4c874392441
      • Opcode Fuzzy Hash: d7043883830c66e661f9bc847f53e8b113e379eb572e6272626b580d49ddb877
      • Instruction Fuzzy Hash: E5E14F72A18B85CAEB10DF65E8403EE77A0FB8475CF504139DA4D87A98DF78E598CB40
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseCreateFileHandle$Mapping
      • String ID: onecore\enduser\upgradeenablers\shellhelpers\filehelper.cpp
      • API String ID: 105643748-3027416378
      • Opcode ID: d9858fcd0b420db2c6b982d93192a62e0e1473cc31c551d75fe83d85b982b5d1
      • Instruction ID: fc3591612f5fa988262a619b10cb209b0c353425612edc07a23cd440243e9854
      • Opcode Fuzzy Hash: d9858fcd0b420db2c6b982d93192a62e0e1473cc31c551d75fe83d85b982b5d1
      • Instruction Fuzzy Hash: 41518331A18A52C6FB64CB22E44466937A1FFC4BA8F609239DA5DC3A94DF7CE485C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(LastErrorStateType,?,?,00007FF68C4EA814), ref: 00007FF68C4EA8B0
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA8BE
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(LastErrorStateType,?,?,00007FF68C4EA814), ref: 00007FF68C4EA90F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA91E
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(LastErrorStateType,?,?,00007FF68C4EA814), ref: 00007FF68C4EA94E
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA95C
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(LastErrorStateType,?,?,00007FF68C4EA814), ref: 00007FF68C4EA987
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA995
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Process$Free$Alloc
      • String ID: LastErrorStateType
      • API String ID: 3689955550-725397316
      • Opcode ID: ad64f3b48f160c8345900209b98ab52c49edce4105fe6ead511e3debb1b8b3ad
      • Instruction ID: 775d98f4d4456bc5c28ec811dc8f51ce698c477479bf27e764ce7694b6435783
      • Opcode Fuzzy Hash: ad64f3b48f160c8345900209b98ab52c49edce4105fe6ead511e3debb1b8b3ad
      • Instruction Fuzzy Hash: 5941B221E08746C6EA19DF52A50013AAA91BF84BE8F4AC43CDE5E97751DF7CE482C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Process$Free$Alloc
      • String ID:
      • API String ID: 3689955550-0
      • Opcode ID: 1dfaf6c2bcd0d01ffb60cce51b5c8c0af71411c334954032bd105b98d5a7ad80
      • Instruction ID: 1c5605d58b72ed30030f6f8e4caf25ba5aed57199f3c3d127b7c6e468cbe72ca
      • Opcode Fuzzy Hash: 1dfaf6c2bcd0d01ffb60cce51b5c8c0af71411c334954032bd105b98d5a7ad80
      • Instruction Fuzzy Hash: 9661A321E08657C6FE25EB69580417E66817F84BA8F86053CDD4EE7B92EE3CE981C341
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Service$CloseHandle$CreateFileManagerModuleNameOpen
      • String ID: Remediates Windows Update Components$Windows Remediation Service
      • API String ID: 3731051440-1681887908
      • Opcode ID: 9ff9eee1acd8500b431e73e19a45ca9dd24007d3a516e329b2f1319c3483e0c4
      • Instruction ID: fcfb967170a371d81607bab979bb8a5041a462e0a02a310ad2e7bb8023d5b0d7
      • Opcode Fuzzy Hash: 9ff9eee1acd8500b431e73e19a45ca9dd24007d3a516e329b2f1319c3483e0c4
      • Instruction Fuzzy Hash: D0218E32618B85C6EB60CF25E4483AAA3A0FF88798F400139DA8DCAA54DF7CD058CB01
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4E8D28: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4E8D85
        • Part of subcall function 00007FF68C4F0244: _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF68C4F451B), ref: 00007FF68C4F0286
        • Part of subcall function 00007FF68C4E9F08: _o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF68C4EBBE9), ref: 00007FF68C4E9F75
        • Part of subcall function 00007FF68C4E9F08: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF68C4E9FB2
        • Part of subcall function 00007FF68C4E9F08: CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4E9FEE
        • Part of subcall function 00007FF68C4E9F08: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF68C4EA014
        • Part of subcall function 00007FF68C4E9F08: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4EA030
        • Part of subcall function 00007FF68C4E9F08: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4EA0E2
        • Part of subcall function 00007FF68C4E9F08: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4EA1B0
        • Part of subcall function 00007FF68C4E9F08: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA1F0
        • Part of subcall function 00007FF68C4E9F08: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF68C4EA1FB
        • Part of subcall function 00007FF68C4E9F08: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA210
        • Part of subcall function 00007FF68C4E9F08: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA224
        • Part of subcall function 00007FF68C4E9F08: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF68C4EA22F
        • Part of subcall function 00007FF68C4E9F08: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA244
        • Part of subcall function 00007FF68C4E9F08: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA254
        • Part of subcall function 00007FF68C4E9F08: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4EA25F
        • Part of subcall function 00007FF68C4E9F08: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4EA274
        • Part of subcall function 00007FF68C4E9F08: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA2AA
        • Part of subcall function 00007FF68C4E9F08: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF68C4EA2B8
        • Part of subcall function 00007FF68C4E9F08: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4EA2CD
        • Part of subcall function 00007FF68C4E9F08: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4EA339
      • _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F5781
      • _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F584E
      • _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F5AB9
      • _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F58BE
        • Part of subcall function 00007FF68C4F27B4: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F27FB
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$_o_wcstoul$Mutex$CloseHandleRelease$FreeHeapObjectProcessSingleWaitmemmove$CreateCurrentTask_o__invalid_parameter_noinfo_noreturn
      • String ID:
      • API String ID: 662595900-0
      • Opcode ID: 22991291c0097a7f827072eb61c29b6d5864f95c8b8053a001d8057fd53e5299
      • Instruction ID: 5210ecbf972e191caf7e0d5be9c31cfea3b33f842bfc51be9e5c2d3220b8b6bc
      • Opcode Fuzzy Hash: 22991291c0097a7f827072eb61c29b6d5864f95c8b8053a001d8057fd53e5299
      • Instruction Fuzzy Hash: 1BE25D62A156C2D8DB20EF35E9512EE2361FF84B9CF44513ADE0D8B69ADF78D684C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000009,?), ref: 00007FF68C4EEBFA
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000009,?), ref: 00007FF68C4EEC22
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000009,?), ref: 00007FF68C4EEF67
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$AllocFreeProcess
      • String ID: Service Pack %d
      • API String ID: 2113670309-3891547089
      • Opcode ID: aa6d6e23a089af83bb64dfdf134d1bab1996a814c1022d1acb4215d00965b5b5
      • Instruction ID: 447925ab5f2509c23c1792e97ad84b3c75890430257a05ac6fb4669f16789991
      • Opcode Fuzzy Hash: aa6d6e23a089af83bb64dfdf134d1bab1996a814c1022d1acb4215d00965b5b5
      • Instruction Fuzzy Hash: 69A1AC22B28A56C6FB25CF7994042BD22A1BF08B9CF564039DE0D97B98EE3CE455C350
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4F37B0: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F381E
        • Part of subcall function 00007FF68C4F37B0: RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF68C4F3858
        • Part of subcall function 00007FF68C4F37B0: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F39E0
      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F0858
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F08EC
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: FreeHeap$ActivationCreateErrorFactoryLastProcessReferenceStringTaskValueWindows
      • String ID: %ls/%ls/%ls?os=Windows$&%s$&appVer=%s$&deviceClass=%s$&deviceId=s:%s$&locale=%s$&namespaces=%s$&osVer=%s$&sampleId=s:%s$&sku=%s$NamespaceExtension$Query length %d exceeds the limit 2048$settings/v2.0
      • API String ID: 2441909290-1478754457
      • Opcode ID: a49e7f9794fb0eb952087ae9dcbf30057e02ee765daf61d6217ecac2ae6c86ff
      • Instruction ID: f487f4803b783c26fd0a0de8b9a86e0cdd4659b98ff00422df9bbaa676e8cad9
      • Opcode Fuzzy Hash: a49e7f9794fb0eb952087ae9dcbf30057e02ee765daf61d6217ecac2ae6c86ff
      • Instruction Fuzzy Hash: 7DB1F136618B46D6DB50CF51F44059AB7A4FF887A8F40013AEA8D83B69DFBCD199CB40
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CurrentFormatMessageThread
      • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
      • API String ID: 2411632146-2849347638
      • Opcode ID: ceeac4bea000fc24439abde30a4adfd1f6610074b308aa6b86aad764a84a4267
      • Instruction ID: a864f2930f36c15e87eb1b8e7e8ae1d086e09b932cd5586336138033b4770af6
      • Opcode Fuzzy Hash: ceeac4bea000fc24439abde30a4adfd1f6610074b308aa6b86aad764a84a4267
      • Instruction Fuzzy Hash: E5616B65A09682C1EB65DF62A4145B963A0FF44BACF82413EEE4DD7758CF3CE491C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F0B57
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F0BEC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F0C3D
        • Part of subcall function 00007FF68C4E823C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E841C
        • Part of subcall function 00007FF68C4E823C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E842B
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F0CAA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F0CF0
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F0D3E
      • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F0E7A
      • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F0E85
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorFreeHeapLast$ProcessTaskValue
      • String ID: %hs$ETag$ETag not modified$Failed to add E-Tag header to request$Failed to get E-Tag$Saving settings cache to registry
      • API String ID: 3708342247-612414988
      • Opcode ID: 428c89d11db32e64fc0b2650fabe119d4425f329c287d2823db08cc6cc2e4adf
      • Instruction ID: 42eded6b666863fa43298b6b60857788e48cb9ed9ee7f39d7d8d59d6e3bd6fee
      • Opcode Fuzzy Hash: 428c89d11db32e64fc0b2650fabe119d4425f329c287d2823db08cc6cc2e4adf
      • Instruction Fuzzy Hash: 91B16331B18B42CAEB149B65E49027AA7E4FF85798F40013DDA8DC7A96DFBCE495C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: DescriptorErrorLastMutexSecurity$CloseConvertCreateFreeHandleLocalObjectReleaseSingleStringWait
      • String ID: D:PAI(A;OICI;FA;;;WD)$Failed to get a proper GlobalEventCounter for telemetry, using 0$GlobalEventCounter$Global\Microsoft.Windows.Remediation.TelemetryPlugin
      • API String ID: 2513684880-4028894632
      • Opcode ID: 80483afcd8b2c4c028e93322067a70fccab529dc40bbf076be28f6505d28e98c
      • Instruction ID: c0fef17aede92f19a8d72bc07444f5ebfedf61309665002ba3a17749587c313d
      • Opcode Fuzzy Hash: 80483afcd8b2c4c028e93322067a70fccab529dc40bbf076be28f6505d28e98c
      • Instruction Fuzzy Hash: 55514B22F08A22C6FB51DB6598507B92691BF44BB8F56013DED0ED7685EF2CE881C381
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2061
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2163
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F21B2
      • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F21E0
      • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F21EF
      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2223
      • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2235
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2277
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F22A0
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F22DC
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2305
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F2332
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: StringWindows$Delete$Buffer$CloseOpenValue
      • String ID: Failed to write %s to cache.
      • API String ID: 1064155711-1154383526
      • Opcode ID: 38c87a0d30c617fbf628d60c24fbdb4c239c72fc1795e7db03b6a3b4e925a255
      • Instruction ID: 1d42dc2fd4b0dbd62699874103a51c50d52d1c479eb5dbb1ea0d9a3450c58b44
      • Opcode Fuzzy Hash: 38c87a0d30c617fbf628d60c24fbdb4c239c72fc1795e7db03b6a3b4e925a255
      • Instruction Fuzzy Hash: 0CB10736A14B56CAEF149F7AE8901AD27A0FF84B98B15113ADE0ED3B64DF38D491D301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4EE90C: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF68C4F5E93), ref: 00007FF68C4EE92E
        • Part of subcall function 00007FF68C4EE90C: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF68C4F5E93), ref: 00007FF68C4EE95D
        • Part of subcall function 00007FF68C4EE90C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FF68C4F5E93), ref: 00007FF68C4EE96E
        • Part of subcall function 00007FF68C4F1784: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F17FB
        • Part of subcall function 00007FF68C4F1784: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F1819
        • Part of subcall function 00007FF68C4F1784: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F183A
        • Part of subcall function 00007FF68C4F1784: GetProductInfo.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF68C4F18CF
        • Part of subcall function 00007FF68C4F1784: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F18E3
        • Part of subcall function 00007FF68C4F1784: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F18F0
      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F5F5B
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F5F7D
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F5FE4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Task$AllocFree$Value$CloseCreateErrorInfoLastProduct
      • String ID: ?$Endpoint$Onesettings ForceResetQueryState() method failed$Onesettings Query() method failed$RemediationShell$Software\Microsoft\Windows\CurrentVersion\rempl\settings$UpgradeRemediation$WSD$onecore\enduser\upgradeenablers\shellhelpers\onesettingsswitches.cpp$settings-win.data.microsoft.com
      • API String ID: 3534710194-1093218707
      • Opcode ID: fb4f48e8e31c59d686d1bc995238caab0d7814db43ef8fb66b134933b8f8a179
      • Instruction ID: 41b823580128e3711fe7c1612e1fdf54c04dc583fd72a280d82cd34d59d48928
      • Opcode Fuzzy Hash: fb4f48e8e31c59d686d1bc995238caab0d7814db43ef8fb66b134933b8f8a179
      • Instruction Fuzzy Hash: CD71AF71A18B42CAEB20DB25E4402BA63A1FF80798F90513DDA4DC7695DFBCE485C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1C52
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1CC4
      • RegEnumValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1E0E
      • RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1D57
        • Part of subcall function 00007FF68C4E8D28: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4E8D85
        • Part of subcall function 00007FF68C4E8C8C: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00007FF68C4E6369), ref: 00007FF68C4E8CE6
        • Part of subcall function 00007FF68C4E823C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E841C
        • Part of subcall function 00007FF68C4E823C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E842B
      • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F1FE3
        • Part of subcall function 00007FF68C4F27B4: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4F27FB
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      • std::_Xinvalid_argument.LIBCPMT ref: 00007FF68C4F200E
        • Part of subcall function 00007FF68C4EDDC8: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FF68C4EDDD4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Freememmove$Process$CloseEnumInfoOpenQueryTaskValueXinvalid_argumentstd::_std::invalid_argument::invalid_argument
      • String ID: Failed to enumerate key $Failed to examine key $Failed to open settings key $OneSettings: %s failed to read value$OneSettings: %s value: %s$list<T> too long
      • API String ID: 1982267036-949190775
      • Opcode ID: 0608fda492fb3a56271d5aa2ab25f03582b86bbeee4390e9658a6d3e53a4b1e6
      • Instruction ID: 36c8dd1591e6242f9445bfe35d6dd967300057f45dcdb52526f0923a60dd18d6
      • Opcode Fuzzy Hash: 0608fda492fb3a56271d5aa2ab25f03582b86bbeee4390e9658a6d3e53a4b1e6
      • Instruction Fuzzy Hash: EBC16F32B18B52D9EB10DBA5E8505ED23B1FF4475CF81003ADA4E97A99DFB8D585C340
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: StringWindows$TaskValue$DeleteFree$AllocBufferCloseCreateOpenReference_o__wcsupr_s
      • String ID:
      • API String ID: 329190495-0
      • Opcode ID: 2003807ea6e39c52df5eda72759d608bb0acf89d39253b1fc625a5fed1b4b9a5
      • Instruction ID: ac964dc0c9555f29c0a9a5b28a2c47ae90ca214659947592376cec2c1049b3fb
      • Opcode Fuzzy Hash: 2003807ea6e39c52df5eda72759d608bb0acf89d39253b1fc625a5fed1b4b9a5
      • Instruction Fuzzy Hash: C391B132618A42C6EB20DF29E85467A63A1FF88BA8F510139DE4EC7795DF3DE485C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseErrorHandleLastOpenSemaphore
      • String ID: LastErrorStateType$_p0$wil
      • API String ID: 3419097560-818451118
      • Opcode ID: a306a98b69744c223a6d70e418b06ebf13f25367b2eb3901882dd0e547cc6a13
      • Instruction ID: 5aafee838233f7c49c490c0b7161a00857f582caf22017bbe2ba58a95425a44e
      • Opcode Fuzzy Hash: a306a98b69744c223a6d70e418b06ebf13f25367b2eb3901882dd0e547cc6a13
      • Instruction Fuzzy Hash: 5261A425A08682C5FB20DBA298542FA13A1FF88BACF554139DD4DD7B89DE3CD585C341
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • _o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4EC04C
      • _o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4EC06F
        • Part of subcall function 00007FF68C4EBE10: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4EBE3C
        • Part of subcall function 00007FF68C4EBE10: OpenSCManagerW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FF68C4EBE56
        • Part of subcall function 00007FF68C4EBE10: CreateServiceW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FF68C4EBEB5
        • Part of subcall function 00007FF68C4EBE10: CloseServiceHandle.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FF68C4EBEC1
        • Part of subcall function 00007FF68C4EBE10: CloseServiceHandle.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0 ref: 00007FF68C4EBECF
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF68C4EC118
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseHandleService$_o__wcsicmp$CreateFileManagerModuleNameOpen
      • String ID: Completed %d second delay$Sediment service stopped$Started %d second delay$console$install$uninstall
      • API String ID: 2532394524-3549479290
      • Opcode ID: f9a68eff8726e9f9ee108fba85aa3b26e67473b2d4056b982c2af7b2fe1bf5f3
      • Instruction ID: b187db28830fbdc31a3381009d1b3c1d2ab614f30ec2e7b833c5084dec502095
      • Opcode Fuzzy Hash: f9a68eff8726e9f9ee108fba85aa3b26e67473b2d4056b982c2af7b2fe1bf5f3
      • Instruction Fuzzy Hash: 7741A021E08542C1EF20EB25E8513BA6361FF8576CF91553ED60EC76D6EE2CE894C702
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: FreeTask
      • String ID:
      • API String ID: 734271698-0
      • Opcode ID: e13889946fc3c9d5cedef9860758cfdeca63cd39a6007f42c0e3c3b173a755b1
      • Instruction ID: 9f7c9405c1a1aa19875e653ae7dd26e19af1e6a432dd936e9b6877f08220369e
      • Opcode Fuzzy Hash: e13889946fc3c9d5cedef9860758cfdeca63cd39a6007f42c0e3c3b173a755b1
      • Instruction Fuzzy Hash: 60218826614E81C6EB109F32D86466A2330FF86FDEF001135DA5ED7278CF28D859D346
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4E866C: InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C4E86A1
        • Part of subcall function 00007FF68C4E866C: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF68C4E873C
        • Part of subcall function 00007FF68C4E866C: EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF68C4E8755
        • Part of subcall function 00007FF68C4E866C: InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C4E8789
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4E6BEF
      • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C4E6C1B
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E6C36
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E6C3E
        • Part of subcall function 00007FF68C4E7DC0: ConvertStringSecurityDescriptorToSecurityDescriptorW.API-MS-WIN-SECURITY-SDDL-L1-1-0 ref: 00007FF68C4E7DEF
        • Part of subcall function 00007FF68C4E7DC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E7DF9
        • Part of subcall function 00007FF68C4E7DC0: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4E7F94
        • Part of subcall function 00007FF68C4E7DC0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF68C4E7FB4
        • Part of subcall function 00007FF68C4E7DC0: LocalFree.API-MS-WIN-CORE-HEAP-OBSOLETE-L1-1-0 ref: 00007FF68C4E7FC3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$DescriptorEventInitOnceSecurity$AddressBeginCloseCompleteConvertFreeHandleInformationInitializeLocalMutexProcRegisterReleaseSleepString
      • String ID: 2021.1B$CheckShellTask$Failed to load DLL %s - HR = 0x%08x$FeatureUpdateService$Started VerifyTaskScheduler$sedplugins.dll
      • API String ID: 2518730595-452094061
      • Opcode ID: f25625b60e43f3c02b817675ef80b449351ed5fa3e03d888e3f849b749639076
      • Instruction ID: 3545dd0e22399a8eef1952600358ee1a5e895b23b29e68c651a3ca377ab0896d
      • Opcode Fuzzy Hash: f25625b60e43f3c02b817675ef80b449351ed5fa3e03d888e3f849b749639076
      • Instruction Fuzzy Hash: 0AC11932A08B85C9EB00DB60E4402AE7BA4FF44768F510639EA8D97B99DF3CE594C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F381E
      • RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF68C4F3858
      • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F39E0
        • Part of subcall function 00007FF68C4F2D14: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F2D67
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F3912
      • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F3957
      • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF68C4F3985
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF68C4F399A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: StringWindows$CreateDeleteFreeReferenceTask$ActivationBufferFactory
      • String ID: SedimentPack$Windows.Internal.Flighting.ClientAttributes$onecore\enduser\upgradeenablers\onesettings\ctachelper.cpp
      • API String ID: 2980356343-886806645
      • Opcode ID: 8eb872fbbcd9813ad3422d8733539e43a6f20751d5dec83141e62b3d7572b8f8
      • Instruction ID: df4cad9f2bf0e38bf4c91f9617c255909ba0249726bba736ebce6e3c0dc1ae2f
      • Opcode Fuzzy Hash: 8eb872fbbcd9813ad3422d8733539e43a6f20751d5dec83141e62b3d7572b8f8
      • Instruction Fuzzy Hash: 91710626B18A46CAEB04DFA2D4543AD23B1FF48B9CF04013ADE0E97B98DE78D559C341
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F426F
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F42AC
        • Part of subcall function 00007FF68C4E823C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E841C
        • Part of subcall function 00007FF68C4E823C: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E842B
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F42E4
      • RegSetKeyValueW.API-MS-WIN-CORE-REGISTRY-L2-1-0 ref: 00007FF68C4F4365
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4F4379
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F43EB
        • Part of subcall function 00007FF68C4E8D28: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4E8D85
        • Part of subcall function 00007FF68C4E8C8C: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(00007FF68C4E6369), ref: 00007FF68C4E8CE6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$Heapmemmove$CloseCreateFreeProcessValue
      • String ID: Failed to create/open settings key$Failed to write %s$Software\Microsoft\Windows\CurrentVersion\rempl\settings$Wrote value Name: %s, Value: %s
      • API String ID: 1364826662-452366970
      • Opcode ID: af79fb009be9fb20622b2b532a21a7d2382cd2361fd39ca46b86612ba531a836
      • Instruction ID: ed67a68d268a092ae2e517d8bc08c05204e484c3020225f6acc41ac91df8c0d4
      • Opcode Fuzzy Hash: af79fb009be9fb20622b2b532a21a7d2382cd2361fd39ca46b86612ba531a836
      • Instruction Fuzzy Hash: 0E519D32718A02C9EB10DB25E8442A933A5FF447A8F55163EDA6DD7AD5DFB8E5A0C300
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: AddressProc$HandleModule
      • String ID: EtwEventEnabled$EtwEventRegister$EtwEventUnregister$EtwEventWrite$ntdll.dll
      • API String ID: 667068680-1838325978
      • Opcode ID: 4e54271eb20987a128d721857e5bc1d5f11322871981364a340b6142f2237162
      • Instruction ID: 3dee4d8cf0b1598c81874a7b4b3298398c84aa70f49ac6adaeb370f64fedd563
      • Opcode Fuzzy Hash: 4e54271eb20987a128d721857e5bc1d5f11322871981364a340b6142f2237162
      • Instruction Fuzzy Hash: 8A219361A69A43D2EF40CB19E89837923B4BF54758F04153ED40EC62A5DFBCE1A8C742
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ByteCharMultiStringWide$_o__free_base_o__malloc_base$__strncnt
      • String ID:
      • API String ID: 361463383-0
      • Opcode ID: 5336c7bfba9a30b99d1a53fc61c7bbb63594c80cd5c4bea8c01d050848ec8892
      • Instruction ID: 6525057f8d7d27bc71b3f211af231d55955806690da9aab605686ec7cd55c3e1
      • Opcode Fuzzy Hash: 5336c7bfba9a30b99d1a53fc61c7bbb63594c80cd5c4bea8c01d050848ec8892
      • Instruction Fuzzy Hash: CC815C32A08B42C6EB60CF51A44436AA6A1FF44BACF154239EA5D87BD8DF7CE485C710
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$DirectorySystem$AllocAttributesFileFreeProcessQueryValue
      • String ID: \kernel32.dll$\ntdll.dll
      • API String ID: 4282327518-3476391467
      • Opcode ID: 3cc2b9183513f43354603930f9f1774a1c8e1ef892900304dd96aaff5a003be8
      • Instruction ID: cb8903999a959b7616edd41805a4397193337fb06433250305796b51715807e5
      • Opcode Fuzzy Hash: 3cc2b9183513f43354603930f9f1774a1c8e1ef892900304dd96aaff5a003be8
      • Instruction Fuzzy Hash: 6651C422A18A52C6EB10DF25E8442BA67A1FF89B98F554139EE4ED3794DF3CD485C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Service$Status$CtrlErrorHandlerItemLastQueueRegisterUserWork
      • String ID: The sediment pack service continued$The sediment pack service is shutting down$The sediment pack service was paused
      • API String ID: 3544621512-2108920909
      • Opcode ID: f76ef5cf6c873c566ad32e7ba500899456fa1d615d9499893fa460b13b916823
      • Instruction ID: 79c05b832a9debff57e105c4e6b32352d92ae99baaaca3ce810672d57cae7397
      • Opcode Fuzzy Hash: f76ef5cf6c873c566ad32e7ba500899456fa1d615d9499893fa460b13b916823
      • Instruction Fuzzy Hash: 0951AD72919702C2EB54DF29E45506933A0FF49778F114339CA6E87698EE3CE195CB01
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4F3B4C: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3BAA
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4E68EA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E68F5
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E68FD
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E6969
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E6971
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$Heap$AddressFreeHandleModuleProcProcess
      • String ID: ExecuteShell$Failed to load DLL %s - HR = 0x%08x$Result of ExecuteShell: HR = 0x%08x$sedplugins.dll
      • API String ID: 196654814-4216478524
      • Opcode ID: 93a825fb997663486caa72b5605a7afa0308061bdfab371a3695f183ab8b0f66
      • Instruction ID: ff6d6e3a50c99ce1186eda3bf9b17425f8e2f865ec6595a5b1a19b9bd25bede6
      • Opcode Fuzzy Hash: 93a825fb997663486caa72b5605a7afa0308061bdfab371a3695f183ab8b0f66
      • Instruction Fuzzy Hash: 00318071A08742C2EF189B69A8903BA27E0FF44B58F45543ED54EC7652DF7CE498C342
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$Task$AllocFree
      • String ID: %lu:%s
      • API String ID: 2427315114-4001591267
      • Opcode ID: 52c09b1fead3da113f43771839f39887a81fc1ed33f43b22e119534ae047bd36
      • Instruction ID: 5d03f314ef35c0aa3ab52f2552edb7885f5ad3dbfbd10f8b5ba37ee60259b1b5
      • Opcode Fuzzy Hash: 52c09b1fead3da113f43771839f39887a81fc1ed33f43b22e119534ae047bd36
      • Instruction Fuzzy Hash: 6D51E732B14B42CAEB149F55A85413A73A0BF88B98F45413DDE5EC7790DEBDE891D300
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Value$CloseDeleteEnumInfoOpenQuerywcsstr
      • String ID: .IterationCount$Software\Microsoft\Windows\CurrentVersion\rempl\shell
      • API String ID: 3790489546-263388548
      • Opcode ID: b1bb7b38353c590a9c2456231acdddbbd646a95fe6e1f1c95ad80b254389352d
      • Instruction ID: f23715f73e39c300d39ea98bb35da60165edbbc4a641d879f9e6c9dc898b6c09
      • Opcode Fuzzy Hash: b1bb7b38353c590a9c2456231acdddbbd646a95fe6e1f1c95ad80b254389352d
      • Instruction Fuzzy Hash: 83419432618B52CAEB108F65E88026A77E4FF84B98F440139EA8DC3B58DF7CD455CB40
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3D49
      • PathCchRemoveFileSpec.API-MS-WIN-CORE-PATH-L1-1-0 ref: 00007FF68C4F3D61
      • PathCchCombine.API-MS-WIN-CORE-PATH-L1-1-0 ref: 00007FF68C4F3DA6
      • PathFileExistsW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF68C4F3DBE
        • Part of subcall function 00007FF68C4EA9BC: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C4EAA0A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: FilePath$CombineExistsModuleNameRemoveSpecmemmove
      • String ID: Cound not find DLL: %s$Found existing DLL: %s$onecore\enduser\upgradeenablers\shellhelpers\servicehelpers.cpp$sedplugins.dll
      • API String ID: 757122187-3493335899
      • Opcode ID: 255148323b8c41f1096ab4272407410ebb889c3a5ce4420e05eb9af7b42825f3
      • Instruction ID: e7640c916ad93bedf9e20b18a1463041c24748cbc86d730f3f3dfdb52c07a08f
      • Opcode Fuzzy Hash: 255148323b8c41f1096ab4272407410ebb889c3a5ce4420e05eb9af7b42825f3
      • Instruction Fuzzy Hash: A831A221B18A42C2EF209B25E4953BA2361FF88B8CF80003ADA4DC7695DF7CE599C751
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Process$AllocFree
      • String ID: %u!$CV not initialized$Error, CV not initialized
      • API String ID: 756756679-957609628
      • Opcode ID: 063422a73c7650f4f9f53e45bde2f6d12eea3afa28a443f55811dc715e768514
      • Instruction ID: ed4a42aeb7144ecbbb85e0a91358bd3b7c46442dda6bf935f70470c99839be12
      • Opcode Fuzzy Hash: 063422a73c7650f4f9f53e45bde2f6d12eea3afa28a443f55811dc715e768514
      • Instruction Fuzzy Hash: 8A41AF21A08792C5FE149B2AA8103796AA1BF45BA8F49453DDE4DC7BD6DF3CE491C302
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ActivateFromInstanceString
      • String ID: onecore\enduser\upgradeenablers\shellhelpers\authorizationprovider.cpp${AE2D81FB-C9EB-44A6-806C-F543D3FABF6C}
      • API String ID: 1606659301-3521968013
      • Opcode ID: fd37d25690d0746625c0e83aea70a610661f8b0cd774a9e2259eae34b95303e8
      • Instruction ID: 03cd88f374c904be9d638a51a5f0bd892e4d61aa5d321079c8baa94d30caa889
      • Opcode Fuzzy Hash: fd37d25690d0746625c0e83aea70a610661f8b0cd774a9e2259eae34b95303e8
      • Instruction Fuzzy Hash: E5B12726B18F46CAEF018B66D4505A923A1FF85B9CB21403ADE0ED7B64EE7CE585C341
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CreateReferenceStringWindows$ActivationFactorywcsstr
      • String ID: "settings":$Windows.Data.Json.JsonValue$settings
      • API String ID: 1336255922-3575698634
      • Opcode ID: 063d8ebee5797164d44268090d23d6566418490df1ec7e69bea6669441c20f95
      • Instruction ID: 9e57ce3537e7073e55178ef8d13be9c1f5683e4e749ecaad80003d9e86f09833
      • Opcode Fuzzy Hash: 063d8ebee5797164d44268090d23d6566418490df1ec7e69bea6669441c20f95
      • Instruction Fuzzy Hash: 3951C526B14B1AC9FB049BA6D8943AD27B0BF48B9CF54053ACE1E97BA4DF78D445C301
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F153B
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F15F4
      • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4F1633
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: HeapStringWindows$BufferDeleteErrorFreeLastProcess
      • String ID: Authorization: MsaToken $Failed to add MSA token header to request$Failed to get MSA ticket$Finish get MSA ticket
      • API String ID: 1765214452-2966896131
      • Opcode ID: 7229f2a04baa4291dc3e5b807b84c59b05dc4df86396938a0455e5edc34baccd
      • Instruction ID: 7c236bb11927eba85e147456c3a4aff682aa02a1a37b62efdc42c04595d7e4de
      • Opcode Fuzzy Hash: 7229f2a04baa4291dc3e5b807b84c59b05dc4df86396938a0455e5edc34baccd
      • Instruction Fuzzy Hash: FA418922B14A41CAFB00DB75D4502BC2361FF947A8F81113ADA1ED7A96EF78E594C340
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$CloseProcess$AllocFreeOpenQueryValue
      • String ID: GlobalEventCounter
      • API String ID: 3475947390-2753345921
      • Opcode ID: e5b96eca84271fd484549bd48261d5c633827428b22ec11d205438bd4e63f74d
      • Instruction ID: 0589cf0bf67a11a6bcefae3af01bec87e9bf5f9d86fe31c2b32403b1af966e81
      • Opcode Fuzzy Hash: e5b96eca84271fd484549bd48261d5c633827428b22ec11d205438bd4e63f74d
      • Instruction Fuzzy Hash: 0D41A222E18B56C6EB24EB9594403B96690BF94BA8F46413DDA0DC77D1DF7CE880C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$CloseProcess$AllocFreeOpenQueryValue
      • String ID: RacSampleNumber
      • API String ID: 3475947390-588672749
      • Opcode ID: 6dffd1ff820118758b5f9c903aed5c2164a11c8dd3fb42c2f32f29bcd20b8f52
      • Instruction ID: 5ffea5d34dd78f428c81c09d65550faed4eedb4837fe1743cea330936389d474
      • Opcode Fuzzy Hash: 6dffd1ff820118758b5f9c903aed5c2164a11c8dd3fb42c2f32f29bcd20b8f52
      • Instruction Fuzzy Hash: 7C31A626E18712CAEB259B55A40437A66D0FF44BA8F05413CD94DC7791DFBCE880C781
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: AttributesFile$CreateDirectoryErrorLastwcschr
      • String ID: LastErrorStateType
      • API String ID: 2805896270-725397316
      • Opcode ID: 3455f75b1fa3f9bec17efdccb75a9cd8233800e7aadb5f019ca476d0ef4f7ac3
      • Instruction ID: 0a3eb6dae97d46d36db5d6eaf499feab4126206b960c8ab02f8fe347a3ebada7
      • Opcode Fuzzy Hash: 3455f75b1fa3f9bec17efdccb75a9cd8233800e7aadb5f019ca476d0ef4f7ac3
      • Instruction Fuzzy Hash: 3D71C411B08783C6FB25DB2189482BA1691BF447ACF429539DA4ECBAD5EFBCE585C300
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: _o_fgetc
      • String ID:
      • API String ID: 141914273-0
      • Opcode ID: 2d02a84efc0d67ac0e6fc2318b1c9e2fb9f5c6a1ca5056668f13c56638cf7c86
      • Instruction ID: a0051d92bd922dcfe640e8aa75f852a7d1c603e37499f006868837fbb471e186
      • Opcode Fuzzy Hash: 2d02a84efc0d67ac0e6fc2318b1c9e2fb9f5c6a1ca5056668f13c56638cf7c86
      • Instruction Fuzzy Hash: 31814B72605A81D8EB60CF29C4803AC33A5FF48BACF55523AEA5D87B99DF39D594C310
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseCreateErrorEventHandleLastmemmove
      • String ID: Sediment service stopped$Windows Remediation Service
      • API String ID: 2886152781-3083390802
      • Opcode ID: aa97056158c11ab4dcd8884d6e5639ea777617ed3238b6fe4983450219d93e39
      • Instruction ID: 8a55fca409c1f5d45363d556e1dff63424c0245a900c3d1eaae50aebba8f4b95
      • Opcode Fuzzy Hash: aa97056158c11ab4dcd8884d6e5639ea777617ed3238b6fe4983450219d93e39
      • Instruction Fuzzy Hash: 19416732914A42C6EB248F25E44436A7BA0FF14BBDF514638CA6D876E6DF7CE096C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4F3D08: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3D49
        • Part of subcall function 00007FF68C4F3D08: PathCchRemoveFileSpec.API-MS-WIN-CORE-PATH-L1-1-0 ref: 00007FF68C4F3D61
      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3BAA
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: FileHeapModule$FreeHandleNamePathProcessRemoveSpec
      • String ID: Acquired handle: %p$Failed to load: %s$Failed to verify signature for %s$Found existing handle: %p
      • API String ID: 1776415593-4107192779
      • Opcode ID: 7ff9f7028f2f1e914d8a781dbe8f1be3159deb0b939c5d72eb04dc0ab5b96649
      • Instruction ID: 2677ab7fb9292dd7797c628a366946237164a797574093b256c93ccb44d9dc61
      • Opcode Fuzzy Hash: 7ff9f7028f2f1e914d8a781dbe8f1be3159deb0b939c5d72eb04dc0ab5b96649
      • Instruction Fuzzy Hash: B6313A22B28B42C8FB00DBA4D8610BC27B0FF58768F84153ADA5DD7A99DF78D194C710
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00007FF68C4EFD13), ref: 00007FF68C4F10E2
      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1138
      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F117A
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF68C4F1197
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Time$CloseCreateFileSystemValue
      • String ID: ?$RefreshAfter
      • API String ID: 1298677607-2212148845
      • Opcode ID: 55aab33940adb303421acdaa6a002027746b1b46bf34105a0734d75a12d043e3
      • Instruction ID: ce14b78bff5fd07a76641f0bc827daf583b383b7521c6153ff23a8827c754767
      • Opcode Fuzzy Hash: 55aab33940adb303421acdaa6a002027746b1b46bf34105a0734d75a12d043e3
      • Instruction Fuzzy Hash: B9211D37615A12CBE7508F75D8806AA37E5FB8879CF051239EA4EC7A58DF38C490CB00
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00007FF68C4F604F), ref: 00007FF68C4F0334
      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00007FF68C4F604F), ref: 00007FF68C4F035C
      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00007FF68C4F604F), ref: 00007FF68C4F0387
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00007FF68C4F604F), ref: 00007FF68C4F03AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: DeleteValue$CloseOpen
      • String ID: ETag$RefreshAfter
      • API String ID: 1772201698-3248060460
      • Opcode ID: e05b68d0f760872b2218517d082bf1e6616ac1dcbbb14944bb06dace519d75d2
      • Instruction ID: e0675e50a57985452dd2889b2aa8f3389a1d3f93634bb3f97acf0774ecdd1c07
      • Opcode Fuzzy Hash: e05b68d0f760872b2218517d082bf1e6616ac1dcbbb14944bb06dace519d75d2
      • Instruction Fuzzy Hash: 95119120B14B13C6EB009B6AA8C027A23E4BF84B99F50023DDA8DC7571DF9DD496D311
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: _o_free$_o_setlocale
      • String ID:
      • API String ID: 381522372-0
      • Opcode ID: b83762863c9a2aabd940241e33dafb8c443f5cc720818561f742049357616791
      • Instruction ID: 39c946e6bbc3014d00bbecfca08b509992a83ffce73ee433fc74ba7f4f4d36e0
      • Opcode Fuzzy Hash: b83762863c9a2aabd940241e33dafb8c443f5cc720818561f742049357616791
      • Instruction Fuzzy Hash: 5911D666A06A05C1EF69CFA1C0A533923A1FF44F5CF191539C90E8E148CF2DD8E4C386
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: GET$The following query string will be used: %s
      • API String ID: 1452528299-2374538757
      • Opcode ID: 936f81e96e700730e714d0e2265bbec67b7105d5abbd34393c8442838fddbbf5
      • Instruction ID: 26cfffed2fe0892c3cac0d66481a76a9a21c41538b064dd987265ce24dd24dc1
      • Opcode Fuzzy Hash: 936f81e96e700730e714d0e2265bbec67b7105d5abbd34393c8442838fddbbf5
      • Instruction Fuzzy Hash: 4841E631718B42C6FB589B66A5A13BA22D0BF88798F00003DDE8ED7A55DFBCD0A4C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: _o___pctype_func$_o____lc_codepage_func_o____lc_locale_name_func_o__calloc_base_o__wcsdup
      • String ID:
      • API String ID: 3375468522-0
      • Opcode ID: 60bc86165e22be81aa17d3589ed8e106d1b75744234246cc2f54ca111ee90b9d
      • Instruction ID: 7c6ed7a8e5f9086e3794e265180bb03da91c4647cd32417676cd5f4dd8779e3e
      • Opcode Fuzzy Hash: 60bc86165e22be81aa17d3589ed8e106d1b75744234246cc2f54ca111ee90b9d
      • Instruction Fuzzy Hash: 0E311E66D18B85C3E7118F28D6012B96760FFA9798F05A328EF8D52616EF78E2D4C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • WinVerifyTrust.WINTRUST(?,?,?,?,?,?,?,?,?,?,?,?,031FFFC0,00007FF68C4F3BD6), ref: 00007FF68C4F3F01
      • WinVerifyTrust.WINTRUST(?,?,?,?,?,?,?,?,?,?,?,?,031FFFC0,00007FF68C4F3BD6), ref: 00007FF68C4F3F7E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: TrustVerify
      • String ID: onecore\enduser\upgradeenablers\shellhelpers\servicehelpers.cpp
      • API String ID: 3336249576-3969904018
      • Opcode ID: 135031ad19ac01d7eebee7c4208069d1f953bcb26f5a9157eb3bb723e9cb7645
      • Instruction ID: 9d7bc835a44708d635fae613d7bff7f1d2a0f9b2e4795845e4c1eb7494ec72fa
      • Opcode Fuzzy Hash: 135031ad19ac01d7eebee7c4208069d1f953bcb26f5a9157eb3bb723e9cb7645
      • Instruction Fuzzy Hash: F5415732B18A42DEFB10CFA1D4903A933A1FF4876CF40423AEA1D97A89DE78D559C750
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF68C4E79A1
      • SetServiceStatus.API-MS-WIN-SERVICE-CORE-L1-1-0 ref: 00007FF68C4E79C3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF68C4E79D0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$ErrorFreeLastObjectProcessServiceSingleStatusWait
      • String ID: The sediment pack service stopped$The sediment pack service was paused
      • API String ID: 1296826421-3758527488
      • Opcode ID: 20d5cbc16b5e8e0dbc725ab60c0c48d7d0c697b1334279bf07b50c86935cfd2d
      • Instruction ID: ffda5e06d247f8beb4a0ae82f30b24d55cff4fa8281a2ce68325d0b8807134d3
      • Opcode Fuzzy Hash: 20d5cbc16b5e8e0dbc725ab60c0c48d7d0c697b1334279bf07b50c86935cfd2d
      • Instruction Fuzzy Hash: E0217C76914702C2EB24DF28E44506A3361FF49778B50473ADA6E866D9DF78E194CB01
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseCreateValue
      • String ID: ?$ETag
      • API String ID: 1818849710-417340769
      • Opcode ID: ec92800859bcc253e710a7981231d33efab12d581c68755a9692affbf8dad4dd
      • Instruction ID: e6ae3236d15d92fe300eb51de5b48a923faf42c6a2517f547f0c8c0294f8b1de
      • Opcode Fuzzy Hash: ec92800859bcc253e710a7981231d33efab12d581c68755a9692affbf8dad4dd
      • Instruction Fuzzy Hash: 54219531B14711C6E7109B69E48462A33F4FF48BA4F510339DAADC3690DF79D551C740
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast$CloseCreateHandleSemaphore
      • String ID: internal\sdk\inc\wil\resultmacros.h
      • API String ID: 2276426104-2306469367
      • Opcode ID: 0a1174fb5d9eaaa8faceba1f97ad9dd6ee840e2f0dc74ed9af87ce9780c4098c
      • Instruction ID: 43dc350acce986461d37ec5861209a69cd749ae2f039b90e5bb2308a1ece78c1
      • Opcode Fuzzy Hash: 0a1174fb5d9eaaa8faceba1f97ad9dd6ee840e2f0dc74ed9af87ce9780c4098c
      • Instruction Fuzzy Hash: 15115B35A08B42C6EB148F92A45406AB7A0FF88BA4B19443DEB8DC3B95CF7CE495C741
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      • You exceeded the maximum number of reads of %d. Something is probably wrong creating a read loop or data in OneSettings too large, xrefs: 00007FF68C4F0AAB
      • You have completed reading as dataSize is 0, xrefs: 00007FF68C4F0A89
      • An error occurrred during the read of OneSettings data, xrefs: 00007FF68C4F0ABD
      • You are reading %d bytes, xrefs: 00007FF68C4F09F4
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: An error occurrred during the read of OneSettings data$You are reading %d bytes$You exceeded the maximum number of reads of %d. Something is probably wrong creating a read loop or data in OneSettings too large$You have completed reading as dataSize is 0
      • API String ID: 1452528299-3008580539
      • Opcode ID: cee23bad495f433955ea09b82ffeb07a4db9282501f15388cb64bf9477b89fc2
      • Instruction ID: eb25d11c86add0755bbbf5ff96962f3e2e9a41e08ae26c6daf0d34c1d9f2ca07
      • Opcode Fuzzy Hash: cee23bad495f433955ea09b82ffeb07a4db9282501f15388cb64bf9477b89fc2
      • Instruction Fuzzy Hash: 43316161B18742CAEA649B55A8407B96390FF84798F40813EDD5DCB696EF6CE889C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Process$Free$Alloc
      • String ID:
      • API String ID: 3689955550-0
      • Opcode ID: c8693654865e71f1f0433084102765303c52c4b6e0b2934529b6c2b9a6a8420a
      • Instruction ID: 1c8ce29f1174e585f41af8e757d7e59c9ccb7f4746c0664e9f41585dcb05c367
      • Opcode Fuzzy Hash: c8693654865e71f1f0433084102765303c52c4b6e0b2934529b6c2b9a6a8420a
      • Instruction Fuzzy Hash: A9216932A05B42C6EB09CF66E50436977A0FF89BA9F498138DB2D87685DF3CD4A1C341
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      • Software\Microsoft\Remediation\LocalState\TelemetryPlugin, xrefs: 00007FF68C4E9C9E
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Close$Create
      • String ID: Software\Microsoft\Remediation\LocalState\TelemetryPlugin
      • API String ID: 359002179-2405561468
      • Opcode ID: 7265058203239527f909ddd12c6acb3aa07c1bb605ae7a6ad79249358ad3b447
      • Instruction ID: 66ee2624ea5250b0301a3aa5ed47b1035d43e1e87e64752a464b57e94083d6e8
      • Opcode Fuzzy Hash: 7265058203239527f909ddd12c6acb3aa07c1bb605ae7a6ad79249358ad3b447
      • Instruction Fuzzy Hash: 8C31AE32B08B52C6EB21EB54A4847BD22A5BF90769F2A413DD66DC7781DF3DD880D300
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
        • Part of subcall function 00007FF68C4F3D08: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3D49
        • Part of subcall function 00007FF68C4F3D08: PathCchRemoveFileSpec.API-MS-WIN-CORE-PATH-L1-1-0 ref: 00007FF68C4F3D61
      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3CAF
        • Part of subcall function 00007FF68C4E8454: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8634
        • Part of subcall function 00007FF68C4E8454: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68C4E6369), ref: 00007FF68C4E8643
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FF68C4F3CD1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: FileFreeHeapModule$HandleLibraryNamePathProcessRemoveSpec
      • String ID: Found existing handle: %p$Freed handle
      • API String ID: 3800399500-3810176542
      • Opcode ID: 381f23d06f140f720b8bad9d1e6c55a4196d15a87118dd830167a4ba3bb03efd
      • Instruction ID: 81cd40393d84d3ff15c8c2f8e19496d2ecf30bb17d2682acf37c5a8e4b6146aa
      • Opcode Fuzzy Hash: 381f23d06f140f720b8bad9d1e6c55a4196d15a87118dd830167a4ba3bb03efd
      • Instruction Fuzzy Hash: 60115462A1CB42C1EE20DB25F45107A67B0FF887A8F450339E69DC66A5EF7CD194C700
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: RtlDllShutdownInProgress$ntdll.dll
      • API String ID: 1646373207-582119455
      • Opcode ID: 778f740e102faf012869814540ccab08fdddc678b9f3995482394f5df41295c2
      • Instruction ID: cfc1df829467f8e7de3f22c42cd0adb4fe14accb870d4e31a5e13af475851f6e
      • Opcode Fuzzy Hash: 778f740e102faf012869814540ccab08fdddc678b9f3995482394f5df41295c2
      • Instruction Fuzzy Hash: 57F0FE64E1AB03D1FE15CF5AA85417623A0BF58794B08003DCC1DC7360EE3CA5E8C312
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF68C4EA2AA), ref: 00007FF68C4EA3B4
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF68C4EA2AA), ref: 00007FF68C4EA3C7
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,00007FF68C4EA2AA), ref: 00007FF68C4EA3DA
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: c46a9834edcb72021f6b658b358aee83e8ee43ba83c49ccacccdccd5e4ab65e9
      • Instruction ID: 5975b302af1e0665b10dc7b68d35273f39730b64e65aa51652cee506eb1681ec
      • Opcode Fuzzy Hash: c46a9834edcb72021f6b658b358aee83e8ee43ba83c49ccacccdccd5e4ab65e9
      • Instruction Fuzzy Hash: E3214F25B09A02C6EA28DF5294441796760FF88FD8F298139DB8EC7B55CF7CE491C701
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: _o____lc_codepage_func_o____lc_locale_name_func_o___pctype_func_o_islower
      • String ID:
      • API String ID: 1268560086-0
      • Opcode ID: 43341c90948125926771c9a2a3864cb7d3c560cefc867f96f18479317c2a4bef
      • Instruction ID: bf762a93478f82ee43ddbea38cbd5fe55971fc540aabf5f43e273f5dc73f6279
      • Opcode Fuzzy Hash: 43341c90948125926771c9a2a3864cb7d3c560cefc867f96f18479317c2a4bef
      • Instruction Fuzzy Hash: 2131FA22A0C791C2F721CB15A45037D6AA1FF84BA9F1A403DDECA87799CE3DE495C711
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: _o____lc_codepage_func_o____lc_locale_name_func_o___pctype_func_o_isupper
      • String ID:
      • API String ID: 727258217-0
      • Opcode ID: a734e062ba27d8dcf24ad527dc0356c6642fe8a1712e1cd02c37dabcad351109
      • Instruction ID: f699c96258a13805ac10090af5fcb7aa2ad86d305a8ab334f54bfb42e6244eda
      • Opcode Fuzzy Hash: a734e062ba27d8dcf24ad527dc0356c6642fe8a1712e1cd02c37dabcad351109
      • Instruction Fuzzy Hash: 4B31F822A0CB82C2FB11CB19984437D6AA1FFA0BA9F19043DDA8D87795DE2DE4D4C711
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: EventInitOnce$BeginCompleteInformationInitializeRegister
      • String ID:
      • API String ID: 3136474517-0
      • Opcode ID: d209fe5e9e88b4fededca291c2753fea5dd58532f17f1e4845c4b8582315f929
      • Instruction ID: 00c2843fc8c084726fe64f120bfc0d4b9eb6b9a4b59836d838c08525377c7871
      • Opcode Fuzzy Hash: d209fe5e9e88b4fededca291c2753fea5dd58532f17f1e4845c4b8582315f929
      • Instruction Fuzzy Hash: 2F314E36A18B46C6EB10CF15E8557A937A0FF88B88F45413ACA4D87224DF3CE595C741
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CreateGuid
      • String ID: .$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/W
      • API String ID: 2531319410-913073483
      • Opcode ID: bc8a90d5c37822091b2e89d56ca8e537495a9414efc5076d78cc91abfc290db6
      • Instruction ID: ae3f85424c90a166c2f099377a175c546db9c99d341c9087b50186f0649e330f
      • Opcode Fuzzy Hash: bc8a90d5c37822091b2e89d56ca8e537495a9414efc5076d78cc91abfc290db6
      • Instruction Fuzzy Hash: 8221A5336287D086E702CF29A0253A97BA0FB59748F495139EBDD87343DE6EC549C711
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      • Software\Microsoft\Remediation\LocalState\TelemetryPlugin, xrefs: 00007FF68C4EADAB
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseOpen
      • String ID: Software\Microsoft\Remediation\LocalState\TelemetryPlugin
      • API String ID: 47109696-2405561468
      • Opcode ID: afc20741009627db1a4d343096216ef593fc6396a085635b990499aef10b3683
      • Instruction ID: 125c7c0099c37141419743893d96e4d0f188580fad3ce8544c16951648e1a6fa
      • Opcode Fuzzy Hash: afc20741009627db1a4d343096216ef593fc6396a085635b990499aef10b3683
      • Instruction Fuzzy Hash: 91019E22B08B02C6EB009F29A484B7966E4FF48BA8F91843CDA1DC7651DF69C894C300
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: CloseOpen
      • String ID: SOFTWARE\Microsoft\Reliability Analysis\RAC
      • API String ID: 47109696-2447572515
      • Opcode ID: bcb5a204c144cbaa45de8fd59a1cad374ff3cdcd8a85f61f8bf2b08087d3a385
      • Instruction ID: 983cb5e2bf008dcbe0ef68b992979e236333beab43308c2903b6c6fd403dce44
      • Opcode Fuzzy Hash: bcb5a204c144cbaa45de8fd59a1cad374ff3cdcd8a85f61f8bf2b08087d3a385
      • Instruction Fuzzy Hash: 8C01BC22B18B02CAEB109F29E484B7A22E4FF48B98FA0043CDA5DC7651CF6DC894C340
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF68C4E952A), ref: 00007FF68C4E9E6D
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF68C4E952A), ref: 00007FF68C4E9E7B
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF68C4E952A), ref: 00007FF68C4E9ED2
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF68C4E952A), ref: 00007FF68C4E9EE0
      Memory Dump Source
      • Source File: 00000000.00000002.2917138233.00007FF68C4E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C4E0000, based on PE: true
      • Associated: 00000000.00000002.2917103435.00007FF68C4E0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4E1000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917138233.00007FF68C4FB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C501000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C50A000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917262815.00007FF68C510000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2917447566.00007FF68C517000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff68c4e0000_sedsvc.jbxd
      Similarity
      • API ID: Heap$Process$AllocFree
      • String ID:
      • API String ID: 756756679-0
      • Opcode ID: 4fdc5908050054caeb9426437f675304537e34e0a6165355572c9e94873cb2b9
      • Instruction ID: 39f1006e4989a56151b8e50cccdeb8c508937a3dca1b4447c5c8f1a9e9db4f1c
      • Opcode Fuzzy Hash: 4fdc5908050054caeb9426437f675304537e34e0a6165355572c9e94873cb2b9
      • Instruction Fuzzy Hash: 1231C562E08642C6EE14EF5954400BDA5527F94BB8F4A043DEE4EA7BD2CE3DE885C341
      Uniqueness

      Uniqueness Score: -1.00%