Windows
Analysis Report
sedsvc.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Classification
Analysis Advice
Sample is a service DLL but no service has been registered |
Sample may be VM or Sandbox-aware, try analysis on a native machine |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
sedsvc.exe (PID: 7656 cmdline:
"C:\Users\ user\Deskt op\sedsvc. exe" -inst all MD5: 487DC200F8F44FEADEFC09A1A078A15D)
sedsvc.exe (PID: 7712 cmdline:
"C:\Users\ user\Deskt op\sedsvc. exe" /inst all MD5: 487DC200F8F44FEADEFC09A1A078A15D)
sedsvc.exe (PID: 7736 cmdline:
"C:\Users\ user\Deskt op\sedsvc. exe" /load MD5: 487DC200F8F44FEADEFC09A1A078A15D)
- cleanup
- • Compliance
- • System Summary
- • Data Obfuscation
- • Boot Survival
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF68C4EBEF8 |
Source: | Code function: | 0_2_00007FF68C4EEB90 | |
Source: | Code function: | 0_2_00007FF68C4F1784 | |
Source: | Code function: | 0_2_00007FF68C4E6DB4 | |
Source: | Code function: | 0_2_00007FF68C4E7540 | |
Source: | Code function: | 0_2_00007FF68C4E9770 | |
Source: | Code function: | 0_2_00007FF68C4E6370 | |
Source: | Code function: | 0_2_00007FF68C4F742C | |
Source: | Code function: | 0_2_00007FF68C4EA828 | |
Source: | Code function: | 0_2_00007FF68C4F4424 | |
Source: | Code function: | 0_2_00007FF68C4E87B8 | |
Source: | Code function: | 0_2_00007FF68C4EAAA4 | |
Source: | Code function: | 0_2_00007FF68C4E9F08 | |
Source: | Code function: | 0_2_00007FF68C4E94B8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF68C4EBE10 |
Source: | Code function: | 0_2_00007FF68C4E7540 |
Source: | Code function: | 0_2_00007FF68C4E7540 |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF68C4E6DB4 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF68C4E7540 |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_00007FF68C4E6DB4 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF68C4E6DB4 |
Source: | Code function: | 0_2_00007FF68C4EEB90 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF68C4EFB88 |
Source: | Code function: | 0_2_00007FF68C4E7540 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 14 Windows Service | 14 Windows Service | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 12 Service Execution | Boot or Logon Initialization Scripts | 1 Process Injection | 1 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1399953 |
Start date and time: | 2024-02-28 00:17:52 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Cmdline fuzzy |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | sedsvc.exe |
Detection: | SUS |
Classification: | sus24.evad.winEXE@3/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, con host.exe - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, ctldl.windowsupdate.com, fe 3cr.delivery.mp.microsoft.com - Execution Graph export aborted
for target sedsvc.exe, PID 76 56 because there are no execut ed function - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: sedsvc
.exe
File type: | |
Entropy (8bit): | 3.289700061427691 |
TrID: |
|
File name: | sedsvc.exe |
File size: | 350'208 bytes |
MD5: | 487dc200f8f44feadefc09a1a078a15d |
SHA1: | d59e50b67c53dd10521e1ba3ee0251c719c804b8 |
SHA256: | 6f9cd7bbe9af0219e56cc4980952493637c54b62edb82c310c8e03551972b879 |
SHA512: | 76ba0441b2a5c975c276e20671779ae70cdc3ca4a27dfb378935745b2dce39a074b7c6ee2e69c6427b1196d30d6170058dcff2db4520123fccaecc3227ac3ea6 |
SSDEEP: | 3072:kPznCopBwo/twN6MaeiC2tQO/Mm6Sas4ZccDHd6inGaKW:WpBhwN6yf2iAMfSasJFin |
TLSH: | 8D74F5292AD91479E473E179CFEAC10AD277B4555732D3AF1260064F0F23AA1FA39B31 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$..M$..M$..MK..L4..M-.NM...M$..M...MK..L(..MK..L'..MK..L...MK..Le..MK. M&..MK."M%..MK..L%..MRich$..M........PE..d......0... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x7ff68c4fc530 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x7ff68c4e0000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x308DA80F [Wed Oct 25 02:59:27 1995 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | 90d7cf86b3069ff3464f6c9fd27d8383 |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FF860C05778h |
dec eax |
add esp, 28h |
jmp 00007FF860C04E6Fh |
int3 |
int3 |
jmp 00007FF860C05EC6h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
cmp ecx, dword ptr [00017109h] |
jne 00007FF860C05015h |
dec eax |
rol ecx, 10h |
test cx, FFFFh |
jne 00007FF860C05005h |
ret |
dec eax |
ror ecx, 10h |
jmp 00007FF860C05074h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
call dword ptr [00004B65h] |
mov ecx, 00000001h |
mov dword ptr [000176D2h], eax |
call 00007FF860C05802h |
xor ecx, ecx |
call dword ptr [00004B6Dh] |
dec eax |
mov ecx, ebx |
call dword ptr [00004B54h] |
cmp dword ptr [000176B5h], 00000000h |
jne 00007FF860C0500Ch |
mov ecx, 00000001h |
call 00007FF860C057DEh |
call dword ptr [00004CD3h] |
dec eax |
mov ecx, eax |
mov edx, C0000409h |
dec eax |
add esp, 20h |
pop ebx |
dec eax |
jmp dword ptr [00004CB7h] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
dec eax |
mov dword ptr [esp+08h], ecx |
dec eax |
sub esp, 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x30120 | 0x460 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x21440 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x35000 | 0x17dc | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x55800 | 0x2138 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x59000 | 0x3a8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x29740 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x20e30 | 0x100 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x20f30 | 0x9a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1ed5e | 0x1ee00 | ecafe167dd3d36818f992de1db4ce70a | False | 0.42864372469635625 | data | 5.510939022947836 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x20000 | 0x12a14 | 0x12c00 | fe7077f25e030770564036a3cbdf82f5 | False | 0.18850260416666667 | data | 3.0693227792363458 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x33000 | 0x1a00 | 0x800 | c99a74c555371a433d121f551d6c6398 | False | 0.01123046875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x35000 | 0x17dc | 0x1800 | ff1ce2018aa17fe600fca636b126dbe4 | False | 0.004557291666666667 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x37000 | 0x21440 | 0x21600 | 1347aa62f94214b863c2b196fd070d22 | False | 0.019370318352059924 | data | 0.3944297279678959 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x59000 | 0x3a8 | 0x400 | 0f343b0931126a20f133d67c2b018a3b | False | 0.0166015625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
XML | 0x54790 | 0x938 | data | English | United States | 0.01059322033898305 |
XML | 0x558e8 | 0x63e | data | English | United States | 0.013141426783479349 |
XML | 0x550c8 | 0x81a | data | English | United States | 0.011571841851494697 |
XML | 0x56718 | 0x68a | data | English | United States | 0.013142174432497013 |
XML | 0x42048 | 0x66d | data | English | United States | 0.01276595744680851 |
XML | 0x46b78 | 0x66d | data | English | United States | 0.01276595744680851 |
XML | 0x4b780 | 0x66d | data | English | United States | 0.01276595744680851 |
XML | 0x503d8 | 0x66d | data | English | United States | 0.01276595744680851 |
XML | 0x38a40 | 0x66d | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | English | United States | 0.3781155015197568 |
XML | 0x3d518 | 0x66d | data | English | United States | 0.01276595744680851 |
XML | 0x57cf0 | 0x750 | data | English | United States | 0.012286324786324786 |
XML | 0x426b8 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x471e8 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x4bdf0 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x50a48 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x390b0 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x3db88 | 0x75e | data | English | United States | 0.012195121951219513 |
XML | 0x463c0 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x4afc8 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x4fc20 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x53fd8 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x3cd60 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x41890 | 0x7b8 | data | English | United States | 0.011639676113360324 |
XML | 0x55f28 | 0x7ea | data | English | United States | 0.011352418558736426 |
XML | 0x56da8 | 0x768 | data | English | United States | 0.012130801687763712 |
XML | 0x43740 | 0x88f | data | English | United States | 0.011410314924691922 |
XML | 0x48270 | 0x88f | data | English | United States | 0.011410314924691922 |
XML | 0x4ce78 | 0x88f | data | English | United States | 0.011410314924691922 |
XML | 0x3a138 | 0x890 | data | English | United States | 0.011405109489051095 |
XML | 0x3ec10 | 0x88f | data | English | United States | 0.011410314924691922 |
XML | 0x42e18 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x47948 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x4c550 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x511a8 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x39810 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x3e2e8 | 0x927 | data | English | United States | 0.010670081092616303 |
XML | 0x43fd0 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x48b00 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x4d708 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x51ad0 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x3a9c8 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x3f4a0 | 0x7e9 | data | English | United States | 0.011358024691358024 |
XML | 0x447c0 | 0xa35 | data | English | United States | 0.009567546880979716 |
XML | 0x492f0 | 0xb0d | data | English | United States | 0.008837044892188053 |
XML | 0x4def8 | 0xb9f | data | English | United States | 0.008739495798319327 |
XML | 0x522c0 | 0xb4b | data | English | United States | 0.008993427879626427 |
XML | 0x3b1b8 | 0xa2f | data | English | United States | 0.009589566551591868 |
XML | 0x3fc90 | 0xa35 | data | English | United States | 0.009567546880979716 |
XML | 0x57510 | 0x7dd | data | English | United States | 0.011425732737208148 |
XML | 0x451f8 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x49e00 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x4ea98 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x52e10 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x3bbe8 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x406c8 | 0x79f | data | English | United States | 0.011788826242952332 |
XML | 0x45998 | 0xa28 | data | English | United States | 0.009615384615384616 |
XML | 0x4a5a0 | 0xa28 | data | English | United States | 0.009615384615384616 |
XML | 0x4f238 | 0x9e1 | data | English | United States | 0.009885330170027679 |
XML | 0x535b0 | 0xa26 | data | English | United States | 0.00962278675904542 |
XML | 0x3c388 | 0x9d1 | data | English | United States | 0.009948269001193792 |
XML | 0x40e68 | 0xa26 | data | English | United States | 0.00962278675904542 |
RT_VERSION | 0x386d0 | 0x36c | data | English | United States | 0.4589041095890411 |
DLL | Import |
---|---|
api-ms-win-crt-locale-l1-1-0.dll | _lock_locales, _unlock_locales |
api-ms-win-crt-string-l1-1-0.dll | __strncnt, memset |
api-ms-win-crt-runtime-l1-1-0.dll | _c_exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback |
api-ms-win-crt-private-l1-1-0.dll | _o__lock_file, _o__malloc_base, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__unlock_file, _o__wcsicmp, _o__wcsupr_s, _o__wtoi, _o_abort, _o_exit, _o_fclose, _o_fflush, _o_fgetc, _o_fgetpos, _o_fputc, _o_free, _o_fsetpos, _o_fwrite, _o_islower, _o_isupper, _o_malloc, _o_realloc, _o_setlocale, _o_setvbuf, _o_terminate, _o_ungetc, _o_wcstok_s, _o_wcstoul, __uncaught_exception, __C_specific_handler, _CxxThrowException, _o__invalid_parameter_noinfo_noreturn, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__get_stream_buffer_pointers, _o__get_initial_wide_environment, _o__fseeki64, _o__free_base, _o__exit, wcsstr, _o__errno, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__calloc_base, _o__callnewh, _o___stdio_common_vswscanf, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___stdio_common_vfwprintf, _o___stdio_common_vfprintf, _o___std_exception_destroy, _o___std_exception_copy, _o___pctype_func, _o___p__commode, _o___p___wargv, _o___p___argc, _o___acrt_iob_func, _o____lc_locale_name_func, _o____lc_codepage_func, wcschr, memmove, __CxxFrameHandler3, memcmp, _o__wcsdup, memcpy |
api-ms-win-core-file-l1-1-0.dll | GetFileSize, GetFileAttributesW, DeleteFileW, WriteFile, CreateDirectoryW, GetTempFileNameW, CreateFileW |
api-ms-win-core-libraryloader-l1-1-0.dll | GetModuleFileNameW, FreeLibrary, GetProcAddress, GetModuleHandleExW, GetModuleFileNameA, GetModuleHandleW |
api-ms-win-core-synch-l1-2-0.dll | InitOnceBeginInitialize, Sleep, InitOnceExecuteOnce, InitOnceComplete |
api-ms-win-eventing-controller-l1-1-0.dll | EnableTraceEx2, StartTraceW, ControlTraceW |
api-ms-win-core-registry-l1-1-0.dll | RegCreateKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumValueW, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegGetValueW, RegCloseKey |
api-ms-win-core-synch-l1-1-0.dll | DeleteCriticalSection, AcquireSRWLockExclusive, ReleaseSRWLockShared, InitializeCriticalSectionEx, LeaveCriticalSection, CreateMutexW, CreateMutexExW, CreateEventExW, WaitForSingleObject, CreateSemaphoreExW, AcquireSRWLockShared, ReleaseSRWLockExclusive, ReleaseSemaphore, ReleaseMutex, SetEvent, OpenSemaphoreW, CreateEventW, WaitForSingleObjectEx, InitializeSRWLock |
api-ms-win-core-heap-l1-1-0.dll | HeapFree, GetProcessHeap, HeapAlloc |
api-ms-win-core-errorhandling-l1-1-0.dll | UnhandledExceptionFilter, SetLastError, SetUnhandledExceptionFilter, RaiseException, GetLastError |
api-ms-win-core-processthreads-l1-1-0.dll | GetCurrentThreadId, TerminateProcess, GetCurrentProcess, GetCurrentProcessId |
api-ms-win-security-sddl-l1-1-0.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW |
api-ms-win-core-com-l1-1-0.dll | CoGetApartmentType, CoWaitForMultipleHandles, CoTaskMemAlloc, CoCreateGuid, CoUninitialize, CLSIDFromString, CoInitializeEx, CoCreateFreeThreadedMarshaler, CoTaskMemFree, CoTaskMemRealloc |
api-ms-win-eventing-legacy-l1-1-0.dll | QueryTraceW |
api-ms-win-service-core-l1-1-0.dll | StartServiceCtrlDispatcherW, SetServiceStatus |
api-ms-win-eventing-provider-l1-1-0.dll | EventWriteTransfer, EventSetInformation, EventRegister, EventUnregister |
api-ms-win-core-shlwapi-legacy-l1-1-0.dll | PathFileExistsW, PathRemoveFileSpecW |
api-ms-win-core-heap-obsolete-l1-1-0.dll | LocalFree, LocalAlloc, GlobalFree |
api-ms-win-core-sysinfo-l1-1-0.dll | GetSystemDirectoryW, GetLocalTime, GetVersionExW, GetSystemTimeAsFileTime |
api-ms-win-core-threadpool-legacy-l1-1-0.dll | QueueUserWorkItem |
api-ms-win-core-localization-l1-2-0.dll | FormatMessageW, LCMapStringEx, GetUserDefaultLocaleName |
api-ms-win-service-winsvc-l1-1-0.dll | RegisterServiceCtrlHandlerW, ControlService, QueryServiceStatus |
api-ms-win-core-debug-l1-1-0.dll | DebugBreak, OutputDebugStringW, IsDebuggerPresent |
api-ms-win-core-psapi-l1-1-0.dll | K32GetProcessMemoryInfo |
api-ms-win-core-handle-l1-1-0.dll | CloseHandle |
api-ms-win-core-kernel32-legacy-l1-1-0.dll | LoadLibraryW, MoveFileW |
OLEAUT32.dll | VariantClear |
api-ms-win-core-path-l1-1-0.dll | PathCchRemoveFileSpec, PathCchCombine |
CRYPT32.dll | CertGetCertificateChain, CertFreeCertificateContext, CertFreeCertificateChain, CertVerifyCertificateChainPolicy, CryptStringToBinaryW |
api-ms-win-service-management-l1-1-0.dll | CreateServiceW, OpenServiceW, DeleteService, OpenSCManagerW, CloseServiceHandle |
api-ms-win-core-string-l1-1-0.dll | WideCharToMultiByte, MultiByteToWideChar |
api-ms-win-core-util-l1-1-0.dll | EncodePointer, DecodePointer |
api-ms-win-core-rtlsupport-l1-1-0.dll | RtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry |
api-ms-win-core-processthreads-l1-1-1.dll | IsProcessorFeaturePresent |
api-ms-win-core-profile-l1-1-0.dll | QueryPerformanceCounter |
api-ms-win-core-interlocked-l1-1-0.dll | InitializeSListHead |
api-ms-win-core-memory-l1-1-0.dll | MapViewOfFile, CreateFileMappingW, UnmapViewOfFile |
WINHTTP.dll | WinHttpReadData, WinHttpSetTimeouts, WinHttpOpenRequest, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpCloseHandle, WinHttpSendRequest, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpConnect |
api-ms-win-core-version-l1-1-0.dll | VerQueryValueW |
api-ms-win-core-sysinfo-l1-2-0.dll | GetProductInfo |
ntdll.dll | RtlConvertDeviceFamilyInfoToString |
api-ms-win-core-string-obsolete-l1-1-0.dll | lstrcmpiW |
api-ms-win-core-registry-l2-1-0.dll | RegSetKeyValueW |
CRYPTSP.dll | CryptHashData, CryptGetHashParam, CryptDestroyHash, CryptReleaseContext, CryptCreateHash, CryptAcquireContextW |
api-ms-win-core-file-l1-2-0.dll | GetTempPathW |
VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW |
WTSAPI32.dll | WTSEnumerateProcessesW, WTSFreeMemory |
api-ms-win-core-winrt-string-l1-1-0.dll | WindowsDeleteString, WindowsGetStringRawBuffer, WindowsCreateString, WindowsCreateStringReference |
api-ms-win-core-winrt-l1-1-0.dll | RoActivateInstance, RoGetActivationFactory |
api-ms-win-core-winrt-error-l1-1-0.dll | RoOriginateError, RoTransformError |
WINTRUST.dll | WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain |
WININET.dll | InternetOpenUrlW, InternetOpenW, HttpQueryInfoW, InternetReadFile, InternetCloseHandle |
ext-ms-win-setupapi-classinstallers-l1-1-2.dll | SetupIterateCabinetW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 00:18:37 |
Start date: | 28/02/2024 |
Path: | C:\Users\user\Desktop\sedsvc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68c4e0000 |
File size: | 350'208 bytes |
MD5 hash: | 487DC200F8F44FEADEFC09A1A078A15D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 00:18:39 |
Start date: | 28/02/2024 |
Path: | C:\Users\user\Desktop\sedsvc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68c4e0000 |
File size: | 350'208 bytes |
MD5 hash: | 487DC200F8F44FEADEFC09A1A078A15D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 00:18:41 |
Start date: | 28/02/2024 |
Path: | C:\Users\user\Desktop\sedsvc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68c4e0000 |
File size: | 350'208 bytes |
MD5 hash: | 487DC200F8F44FEADEFC09A1A078A15D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF68C4E357C Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 149windowthreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF68C4E9B40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98memoryregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF68C4F2670 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF68C4E7950 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62synchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |