Edit tour

Windows Analysis Report
QFDXInkpM8.exe

Overview

General Information

Sample name:	QFDXInkpM8.exe renamed because original name is a hash value
Original sample name:	24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf.exe
Analysis ID:	1466136
MD5:	f993a688264ec59724aa279e0b93e42c
SHA1:	cbeb5d5042026ab23a40e48511099e7006f76e0d
SHA256:	24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf
Tags:	exe
Infos:

Detection

Amadey

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

PE file contains section with special chars

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QFDXInkpM8.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\QFDXInkpM8.exe" MD5: F993A688264EC59724AA279E0B93E42C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
QFDXInkpM8.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1686937008.00000000002C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QFDXInkpM8.exe.2c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.QFDXInkpM8.exe.2c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: QFDXInkpM8.exe

Malware Configuration Extractor: Amadey {"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}

Multi AV Scanner detection for submitted file

Source: QFDXInkpM8.exe

ReversingLabs: Detection: 37%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.4% probability

Machine Learning detection for sample

Source: QFDXInkpM8.exe

Joe Sandbox ML: detected

Source: QFDXInkpM8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 77.91.77.81

Source: Joe Sandbox View

IP Address: 77.91.77.81 77.91.77.81

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

System Summary

PE file contains section with special chars

Source: QFDXInkpM8.exe	Static PE information: section name:
Source: QFDXInkpM8.exe	Static PE information: section name: .idata
Source: QFDXInkpM8.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002E60A2	0_2_002E60A2
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002C9910	0_2_002C9910
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002C4AD0	0_2_002C4AD0
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002C4CD0	0_2_002C4CD0
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002E0D23	0_2_002E0D23
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002E3D01	0_2_002E3D01
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002E1512	0_2_002E1512

Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: String function: 002D7F00 appears 122 times
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: String function: 002DD852 appears 51 times

Source: QFDXInkpM8.exe

Static PE information: No import functions for PE file found

Source: QFDXInkpM8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.winEXE@1/0@0/1

Source: QFDXInkpM8.exe

ReversingLabs: Detection: 37%

Source: QFDXInkpM8.exe

Static file information: File size 4968448 > 1048576

Source: QFDXInkpM8.exe

Static PE information: Raw size of fonvwcns is bigger than: 0x100000 < 0x19f800

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: QFDXInkpM8.exe

Static PE information: real checksum: 0x1dcdea should be: 0x4bfe2d

Source: QFDXInkpM8.exe	Static PE information: section name:
Source: QFDXInkpM8.exe	Static PE information: section name: .idata
Source: QFDXInkpM8.exe	Static PE information: section name:
Source: QFDXInkpM8.exe	Static PE information: section name: fonvwcns
Source: QFDXInkpM8.exe	Static PE information: section name: ijaqkjlo
Source: QFDXInkpM8.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002DD82C push ecx; ret	0_2_002DD83F
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002D1314 push ecx; retn 0000h	0_2_002D1315
Source: C:\Users\user\Desktop\QFDXInkpM8.exe	Code function: 0_2_002D064F push ss; iretd	0_2_002D0650

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\QFDXInkpM8.exe

Code function: 0_2_002DDCA1 cpuid

0_2_002DDCA1

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: QFDXInkpM8.exe, type: SAMPLE
Source: Yara match	File source: 0.2.QFDXInkpM8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.QFDXInkpM8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1686937008.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QFDXInkpM8.exe	38%	ReversingLabs
QFDXInkpM8.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.91.77.81	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466136
Start date and time:	2024-07-02 15:56:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QFDXInkpM8.exe renamed because original name is a hash value
Original Sample Name:	24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf.exe
Detection:	MAL
Classification:	mal80.troj.spyw.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QFDXInkpM8.exe, PID 5856 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: QFDXInkpM8.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.91.77.81	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	SecuriteInfo.com.Win32.PWSX-gen.20622.25663.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	Wf9qnVcbi8.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81/Kiru9gu/index.php
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	77.91.77.81/stealc/random.exe
	Rnteb46TuM.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	8vZMEr8sm9.exe	Get hash	malicious	Amadey	Browse	77.91.77.81/stealc/random.exe
	1jPL5zru3u.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/mine/amadka.exe
	Zachv5lCuu.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	https://drive.google.com/file/d/136ovnD62cwekGHQcz2rdHGNitd3tUNck/view?usp=sharing_eip_m&ts=6682d44d	Get hash	malicious	Unknown	Browse	77.91.77.5
	https://drive.google.com/file/d/1D-RSHnHV853uproVdm_FqLilvp6WEgCv/view?ts=6682d412	Get hash	malicious	Unknown	Browse	77.91.77.5
	SecuriteInfo.com.Win32.PWSX-gen.20622.25663.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	Wf9qnVcbi8.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, Stealc	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	77.91.77.80
	Rnteb46TuM.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.52812134999602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QFDXInkpM8.exe
File size:	4'968'448 bytes
MD5:	f993a688264ec59724aa279e0b93e42c
SHA1:	cbeb5d5042026ab23a40e48511099e7006f76e0d
SHA256:	24e4567788c4a9442e2505d02b1c9324f1c95a454a819655de99ddb6eaf083cf
SHA512:	adf2ec0e3fbcc40508875ed522f6902e6163027aece6e8308e7532c004a33a0132aab6ea4a64fa9ee0512825d81c0167a1d40d557fde0eeb3bf827d33a647434
SSDEEP:	24576:6ieoeHdQ1uuB+2RKgm/FEYSzLQRJYyEwjCgGBd2xusq:le7Hqu6+tgmdEd0My5jCq
TLSH:	BA36F9A1790571CBD48E277C9D2BDE826D6D07F947254803A96CB4BFBE63CC12987C28
File Content Preview:	MZ......................@............u.N................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x77a000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x2c0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x665ECF2A [Tue Jun 4 08:24:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a058	0x6c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b84f8	0x10	fonvwcns
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b84a8	0x18	fonvwcns
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	95a6aea0d8bb6939c90349aa3726819d	False	0.49895406420765026	data	6.522719858067875	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x69000	0x1e0	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ae000	0x200	bf619eac0cdf3f68d496ea9344137e8b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fonvwcns	0x319000	0x1a0000	0x19f800	989e19e60bf37b9ea17631b16c7ed2e0	False	0.001801528655234657	data	0.015170373564757006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ijaqkjlo	0x4b9000	0x1000	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ba000	0x3000	0x2200	d946c4e00b10be82f8d142f508ece41d	False	0.003561580882352941	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: QFDXInkpM8.exePID: 5856, Parent PID: 2580

General

Target ID:	0
Start time:	09:57:00
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\QFDXInkpM8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QFDXInkpM8.exe"
Imagebase:	0x2c0000
File size:	4'968'448 bytes
MD5 hash:	F993A688264EC59724AA279E0B93E42C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.1686937008.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: QFDXInkpM8.exePID: 5856, Parent PID: 2580COMMON

Non-executed Functions

Function 002E0D23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 002E0E26
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 002E0E72

Part of subcall function 002E256D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 002E2660

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 002E0EDE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 002E0EFA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 002E0F4E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 002E0F7B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 002E0FD1

Strings

(, xrefs: 002E0E32

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 1956a7c376a433d8e8f9e088446be98c61e56f4ef98bbc9385d53d6c1a45c0bf
Instruction ID: 57e01a80d81652f7eebacb5f037b19e54977a462ff167b38a8927f6556cbff3c
Opcode Fuzzy Hash: 1956a7c376a433d8e8f9e088446be98c61e56f4ef98bbc9385d53d6c1a45c0bf
Instruction Fuzzy Hash: 04B19D70A50652EFCB29CF59D9C1B7EB7B4FB44300F54456DE805AB641C770AEA2CB90

Function 002E1512 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E2C0C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 002E2C1F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 002E1524

Part of subcall function 002E2D1F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 002E2D49
Part of subcall function 002E2D1F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 002E2DB8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 002E1656
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 002E16B6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 002E16C2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 002E16FD
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 002E171E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 002E172A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 002E1733
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 002E174B

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: a9ce1721daddeefb8c279f2f85b14ba4918889bf3dcc7d7a899e01e295c91eba
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: 53816C71E502669FCB18CF6AC580A6DB7FAFF88304B5546ADD406AB701C770ED62CB80

Function 002E3D01 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

4, xrefs: 002E3E9B

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction ID: f32a60ada58f6edd791beb3e0a96db24cd5b468318c7515e45fc2ffa0908f0b8
Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction Fuzzy Hash: D6613B71E50256DFCB28CF5AC584AAEB7B1BF88315F65856DD805A7305C330EE92CB90

Function 002C4CD0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eb61b254c63992c3621e917253e17eac184637e8c482dd4b90cb36127841e0
Instruction ID: 238290d965cdb8dce68b7e240f6733d7733726a09eee68e8940eb5c0fdac37d6
Opcode Fuzzy Hash: e1eb61b254c63992c3621e917253e17eac184637e8c482dd4b90cb36127841e0
Instruction Fuzzy Hash: AC223CB3F515144BDB4CCA9DDCA27EDB2E3AFD8318B0E803DA40AE3345EA7999158644

Function 002C9910 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b446066d452010d035e78f40a0b1b2b07d1e2892ba655f138f4a4fd4997b6af0
Instruction ID: 1c89d7abbc660a4e89f6609ed54d43f731e4c7a4356cfe58006de8ed70aed7ee
Opcode Fuzzy Hash: b446066d452010d035e78f40a0b1b2b07d1e2892ba655f138f4a4fd4997b6af0
Instruction Fuzzy Hash: 5742E270D202489BEF14EBB8C549BDEBBB6AB01318F64834CD411373C6D7B55A94DBA2

Function 002C4AD0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608aaede407f11f81d8ca05094eff3bfd9f7352bfc10dcf2806036cac7563a5b
Instruction ID: 658c4f789c00d20e8af21595eef83b0fae8dd4f4d0af200c414bb4bf5c994945
Opcode Fuzzy Hash: 608aaede407f11f81d8ca05094eff3bfd9f7352bfc10dcf2806036cac7563a5b
Instruction Fuzzy Hash: A151C3716083918FD319CF2D842567AFFF1BF9A200F084A9EE4D687292D774DA14CBA1

Function 002DDCA1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8f267d9b5414fd24cce82f10c45d10eb36677a3b73bc941352efdcc7da0152
Instruction ID: a544b84a367d32d34d3df70f5619371d06a3b3028cba4e9a0388c31d8c02e8ef
Opcode Fuzzy Hash: 1f8f267d9b5414fd24cce82f10c45d10eb36677a3b73bc941352efdcc7da0152
Instruction Fuzzy Hash: AE5188B2E11A06CBDB26CF59D881BAABBF9FB08320F24856AC411EB354D3749D51CF50

Function 002DEF38 Relevance: 19.7, APIs: 13, Instructions: 229COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 002DF1CB

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID:
API String ID: 2141394445-0
Opcode ID: a92bfebb4a139f823ee310dbe61d555680cee24ec334b8ce90bbf3a209f3eefa
Instruction ID: b458ae90afc60f83f0802d82f8ec8d5fa57be4fdaa31bccaf63748ade0f8724b
Opcode Fuzzy Hash: a92bfebb4a139f823ee310dbe61d555680cee24ec334b8ce90bbf3a209f3eefa
Instruction Fuzzy Hash: CA81E331D2021ADFCF15EFA4CA81BEEB7B5AF04310F15442AE816AB382D770AD65CB54

Function 002E2742 Relevance: 15.2, APIs: 10, Instructions: 223COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 002E2786
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 002E27EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 002E2823

Part of subcall function 002E06FD: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 002E071D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 002E28A3
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 002E28EB

Part of subcall function 002E06D2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 002E06EE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 002E28FF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 002E2910
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 002E295D
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 002E298E

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Affinity$Apply$Restrictions$InformationTopology$Restriction::$CleanupFindGroupLimits
String ID:
API String ID: 1321587334-0
Opcode ID: b3ecc92df4103300045d251b43fc0cad30ec21adaaed88599fbe7cd6f276afff
Instruction ID: dbb70a1a1ea364e838f1c94b700024b9ae8d7d387182cc80892fea8df867c39e
Opcode Fuzzy Hash: b3ecc92df4103300045d251b43fc0cad30ec21adaaed88599fbe7cd6f276afff
Instruction Fuzzy Hash: 4F812631AA0297CBCF1ADFAAD8D157DB7BDBB48300FA4412DD447A3641D7305AAACB50

Function 002E68EA Relevance: 15.1, APIs: 10, Instructions: 144COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 002E692F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 002E6961
List.LIBCONCRT ref: 002E699C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 002E69AD
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 002E69C9
List.LIBCONCRT ref: 002E6A04
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 002E6A15
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 002E6A30
List.LIBCONCRT ref: 002E6A6B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 002E6A78

Part of subcall function 002E5DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 002E5E07
Part of subcall function 002E5DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 002E5E19

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: f92916d9cbcf46b6664ac60d0f3b9e4be86cae857949dd567c74e1bbd97a80f9
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: 61516171A5025AABDF08DF55C499BEDB3A8FF18344F804079E955AB342DB30AE54CF90

Function 002EE939 Relevance: 13.6, APIs: 9, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 002EE989

Part of subcall function 002E8E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 002E8E60

Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 002EE9A2
Concurrency::location::_Assign.LIBCMT ref: 002EE9B8
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 002EEA25
Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 002EEA2D
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 002EEA54
Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 002EEA60
Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 002EEAB7
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 002EEAEC

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Context$Base::$Processor::QuickVirtual$ClearCountedEventInterlockedReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSchedulerSlotSpinTasksThrowTraceUntilVisible
String ID:
API String ID: 1448206229-0
Opcode ID: ade22173e7e4cade10dddf0e474d22b97dd38944007b6fa2fa97ce73b852bf83
Instruction ID: 440e4aa9e163d84cecd0f7ce9564c79a91274ecb4283a9f03094a6c2668353ff
Opcode Fuzzy Hash: ade22173e7e4cade10dddf0e474d22b97dd38944007b6fa2fa97ce73b852bf83
Instruction Fuzzy Hash: DB519D307502548FDF05EF66C485BAD77A6BF49310FA940B9ED069B386CB70AC118B62

Function 002E77F1 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 002E7813

Part of subcall function 002E5BC8: __EH_prolog3_catch.LIBCMT ref: 002E5BCF
Part of subcall function 002E5BC8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 002E5C08

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 002E783A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 002E7846

Part of subcall function 002E5BC8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 002E5C80
Part of subcall function 002E5BC8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 002E5C8E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 002E7892
Concurrency::location::_Assign.LIBCMT ref: 002E78B3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 002E78BB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 002E78CD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 002E78FD

Part of subcall function 002E682D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 002E6852
Part of subcall function 002E682D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 002E6875

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_ExerciseFoundH_prolog3_catchNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
String ID:
API String ID: 1475861073-0
Opcode ID: e9038ad7892f4e2c5a31be8a62e8a2821490d665d13bb00f55cd29dc64e8fb75
Instruction ID: 248bf109be337e98bce052edd339f633c6b936c58cb0076cdeda1a93b7acfc97
Opcode Fuzzy Hash: e9038ad7892f4e2c5a31be8a62e8a2821490d665d13bb00f55cd29dc64e8fb75
Instruction Fuzzy Hash: 82318B30BA82D69BCF06EE7944967FE7BB55F51304F8400A9D441D7242D7244C2AD792

Function 002D6C40 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 002D6D11
std::_Rethrow_future_exception.LIBCPMT ref: 002D6D62
std::_Rethrow_future_exception.LIBCPMT ref: 002D6D72
__Mtx_unlock.LIBCPMT ref: 002D6E15
__Mtx_unlock.LIBCPMT ref: 002D6F1B
__Mtx_unlock.LIBCPMT ref: 002D6F56

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: a4306eb3eb87cc77e56f53f59e332cdd81c37d0bb0fff5b940ea5e539bb61d7a
Instruction ID: 0219449c327b7d4070619276b6baeb47be39c8d8c77cc0f0b60e52fb35386ceb
Opcode Fuzzy Hash: a4306eb3eb87cc77e56f53f59e332cdd81c37d0bb0fff5b940ea5e539bb61d7a
Instruction Fuzzy Hash: 27C1E17192074A9FDB21DFA4D849BABBBF4AF05300F10452FE85697782DB31AD18CB91

Function 002DED6F Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 002DEDCC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 002DEDD8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 002DEDF1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 002DEE1F
Concurrency::Context::Block.LIBCONCRT ref: 002DEE41

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1182035702-0
Opcode ID: 3db9cf56824c53aaea0ac7915479c1386f1b65d4e537544b4125a8e645ae8772
Instruction ID: b908b4451a15245d3bf7f376b0bc6346981e58b73cd162ace78fcfb7742878a3
Opcode Fuzzy Hash: 3db9cf56824c53aaea0ac7915479c1386f1b65d4e537544b4125a8e645ae8772
Instruction Fuzzy Hash: 53217470D20206CADF25EFA4C8456EEB7F1AF14320F65052BE155AA3D0EBB18E55CB54

Function 002EE6BF Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 002EE6E7

Part of subcall function 002EE454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 002EE487
Part of subcall function 002EE454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 002EE4A9

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 002EE764
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 002EE77F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 002EE789
Concurrency::location::_Assign.LIBCMT ref: 002EE7BD

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Virtual$Context$DeactivateProcessorProcessor::Scheduler$ActiveAssignCommitConcurrency::location::_EventInternalPointsReclaimSafeTraceTrigger
String ID:
API String ID: 3603393511-0
Opcode ID: 9092263e6f606116c15ca047f569a1b6df4e6b10f3d96dcf0daa2453ccc27353
Instruction ID: 87e2003852ec5be6c93a19a3fa87a7857aa3a10853691bce515d169ee180ae91
Opcode Fuzzy Hash: 9092263e6f606116c15ca047f569a1b6df4e6b10f3d96dcf0daa2453ccc27353
Instruction Fuzzy Hash: FB416C35A102499FCF05EF65C494AADB7B9FF48300F5580AADD499B382DB30A951CF91

Function 002DEBF6 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002DEBFD
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 002DEC27

Part of subcall function 002DF2ED: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 002DF30A

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 002DECA4
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 002DECD6
__freea.LIBCMT ref: 002DECFC

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
String ID:
API String ID: 2497068736-0
Opcode ID: 0b1eb397197739919f75e6fea7a8677df9f582a2a7168327042bb5f49604684e
Instruction ID: c740bbe0dca41ca47f26f9082ca526f1b73fae63e0903049174c57060d2bcf4a
Opcode Fuzzy Hash: 0b1eb397197739919f75e6fea7a8677df9f582a2a7168327042bb5f49604684e
Instruction Fuzzy Hash: 06316D71A301068FDF19EFA8C9815ADB7B5AF08310B66406BE406EB340DB749E12CBA5

Function 002ED1C9 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 002ED254
ListArray.LIBCONCRT ref: 002ED277
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 002ED280
ListArray.LIBCONCRT ref: 002ED2B8
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 002ED2C3

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ArrayListVirtual$ActiveAvailableBase::CountedInterlockedMakeProcessorProcessor::QuickReferenceSchedulerSet::
String ID:
API String ID: 4212520697-0
Opcode ID: 622f02e083c2f58b219754c107e7daa419591ab34081399c3e718e359e4660b7
Instruction ID: a9b1fef0ca956b4c2cfef06ae5848db91556b7978aa3e1063e01649aa19685d8
Opcode Fuzzy Hash: 622f02e083c2f58b219754c107e7daa419591ab34081399c3e718e359e4660b7
Instruction Fuzzy Hash: 4A319A35750254AFDB09DF66C884BADB7A6AF88300F954099ED069B382DBB0EC51CF91

Function 002E7274 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 002E72C0
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 002E7302
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 002E731E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 002E7329
std::invalid_argument::invalid_argument.LIBCONCRT ref: 002E7350

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID:
API String ID: 3897347962-0
Opcode ID: 551e8698c9e7e38a4e15648c554b2f43b5fee50f0b4e8b0df69880fcd54ba8bf
Instruction ID: f616361d29d7a337c60b7a22b42530102d12b7a339ac00751b3664845e69c883
Opcode Fuzzy Hash: 551e8698c9e7e38a4e15648c554b2f43b5fee50f0b4e8b0df69880fcd54ba8bf
Instruction Fuzzy Hash: 0621B434A5028AAFCF04EF96C995AEDB7B5BF09300F9440A9ED05A7351DB30AE61CF50

Function 002E9BA5 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002E9BAC
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 002E9BF8
std::bad_exception::bad_exception.LIBCMT ref: 002E9C0E
Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 002E9C50
std::bad_exception::bad_exception.LIBCMT ref: 002E9C7A

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
String ID:
API String ID: 921398678-0
Opcode ID: 51d1a813575fca2f00d9bbf6f369c7e68d7dd4f17cbe6e266ad9ece6438f1759
Instruction ID: 22cfca7643ce7cdb993286200ac2bf4711fa525667fd688ba789e0d637df9584
Opcode Fuzzy Hash: 51d1a813575fca2f00d9bbf6f369c7e68d7dd4f17cbe6e266ad9ece6438f1759
Instruction Fuzzy Hash: D621C4719506449FDB05FFA5D9429EDB7F4AF0D314B60402BF101AB241EB706D91CF50

Function 002C4590 Relevance: 6.7, Strings: 5, Instructions: 408COMMON

Download Yara Rule

Strings

t02, xrefs: 002C49CB
t02, xrefs: 002C4981
</2, xrefs: 002C47C3
</2, xrefs: 002C478D
</2, xrefs: 002C4606

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID:
String ID: </2$</2$</2$t02$t02
API String ID: 0-2836822679
Opcode ID: 41db0e6694bb0bcc6f2f42c59782d5b6ef8e92896d67f62f2c616e32740e7bd6
Instruction ID: 8ddfeef065628ee3abf1896f6b08aa6c82afa7aa9179c62195bb68288ec87999
Opcode Fuzzy Hash: 41db0e6694bb0bcc6f2f42c59782d5b6ef8e92896d67f62f2c616e32740e7bd6
Instruction Fuzzy Hash: 44E11131A202949FDB19DF68CC51BAEBBB5FF49304F14435DE854A7392C7389991CB90

Function 002EDA40 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 002EDA74

Part of subcall function 002E8E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 002E8E60

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 002EDAD3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 002EDAF9
Concurrency::location::_Assign.LIBCMT ref: 002EDB66

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$EventInternal$AssignBlockingConcurrency::location::_FindNestingPrepareThrowTraceWork
String ID:
API String ID: 1091748018-0
Opcode ID: c689aa025dc29575c0ca2e8494fa318b2d299241ff6dffdc9400285e6c9dcba1
Instruction ID: 4ebf4835b1c9b1c1e617fe52de40f1122cb4441863da97ff72f2c04526a5ef4e
Opcode Fuzzy Hash: c689aa025dc29575c0ca2e8494fa318b2d299241ff6dffdc9400285e6c9dcba1
Instruction Fuzzy Hash: 45416670660241ABCF19EF25C886BBEBB79AF44314F45409EE4069B382DF709E15CB90

Function 002E55BF Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

_InternalDeleteHelper.LIBCONCRT ref: 002E5602
_InternalDeleteHelper.LIBCONCRT ref: 002E5636
Concurrency::details::SchedulerBase::TraceSchedulerEvent.LIBCMT ref: 002E569B
SafeRWList.LIBCONCRT ref: 002E56AA

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternalScheduler$Base::Concurrency::details::EventListSafeTrace
String ID:
API String ID: 893951542-0
Opcode ID: ddbb5a243976d5b8dabe0d5cd5aeb7c7753de106fcf174f53f66a444c69b859e
Instruction ID: 2612163ffac70e55f9f86473eb218e844349a87d70aac606b7d95e227ec1f0d6
Opcode Fuzzy Hash: ddbb5a243976d5b8dabe0d5cd5aeb7c7753de106fcf174f53f66a444c69b859e
Instruction Fuzzy Hash: 2D3166327615258FDF099F21C881AADB3AAEFC9704F548179ED0A9F385DF706C018B90

Function 002E2C0C Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 002E2C1F

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: f5dabe2a5825cc1367203195273ca72e93aea8d8bc018c874e0d56536ef285ae
Instruction ID: f4780e5cf955eeadc141e59490105c8eabd729255f24d6f6161c70ec09fddbce
Opcode Fuzzy Hash: f5dabe2a5825cc1367203195273ca72e93aea8d8bc018c874e0d56536ef285ae
Instruction Fuzzy Hash: B8319C75A50349DFCF10DF95C8C0BAEBBB9FB44300F6504AADD06AB242D770A958DBA0

Function 002E9F36 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 002E9F79

Part of subcall function 002EB470: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 002EB4BF

Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 002E9F8F
Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 002E9FDB

Part of subcall function 002EAA51: List.LIBCONCRT ref: 002EAA87

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 002E9FEB

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$ExecutionHardware$AffinityAffinity::BorrowedCoreCountCurrentFixedIncrementListResourceResource::StateToggle
String ID:
API String ID: 932774601-0
Opcode ID: 1f2838ab5b7fc206996c2ddf323c455ed5b057c43996bc8e0136ae487b547b2c
Instruction ID: 786a6b336c9b29b018cd1de32488fc9cf975d934d82b6c5675a7b60f04a1ebc6
Opcode Fuzzy Hash: 1f2838ab5b7fc206996c2ddf323c455ed5b057c43996bc8e0136ae487b547b2c
Instruction Fuzzy Hash: 3821A931520A159BCB25EF66D9908ABB3F9FF487007804A1EE446A7A51CB70F945CFA1

Function 002E4795 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 002E47A3
ListArray.LIBCONCRT ref: 002E47B5

Part of subcall function 002E5465: _InternalDeleteHelper.LIBCONCRT ref: 002E5474

ListArray.LIBCONCRT ref: 002E47BF
_InternalDeleteHelper.LIBCONCRT ref: 002E47D8

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: da3add953061c471ccd2dca600e79749a5717563ceb0336e84965b72fef175c5
Instruction ID: cb079c1fc14ced57f787ae7ea80856e3963373c89b0433094906a8c0bb9322f9
Opcode Fuzzy Hash: da3add953061c471ccd2dca600e79749a5717563ceb0336e84965b72fef175c5
Instruction Fuzzy Hash: A301DB31660961EFDE15BF52D8C2E6EB75ABF457107840125F80057652CB60AC719AD0

Function 002ECFC7 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 002ECFD5
ListArray.LIBCONCRT ref: 002ECFE7

Part of subcall function 002EC5C2: _InternalDeleteHelper.LIBCONCRT ref: 002EC5D4

ListArray.LIBCONCRT ref: 002ECFF1
_InternalDeleteHelper.LIBCONCRT ref: 002ED00A

Memory Dump Source

Source File: 00000000.00000002.2931045095.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.2931032237.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2931143205.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_QFDXInkpM8.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 79fb6f775cbfe056cbb552864d2123c73ab8299ca4ca29ccc04d4cc8e160fc47
Instruction ID: 0af8b1d34289db470bb5e7297942bfbc5daf9813c58ed12d2c46913198d8918f
Opcode Fuzzy Hash: 79fb6f775cbfe056cbb552864d2123c73ab8299ca4ca29ccc04d4cc8e160fc47
Instruction Fuzzy Hash: 0A01D632351561FFDA25BFA2CD82E7E772ABF847107940425F801A7612DB20EC325AA0

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QFDXInkpM8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: QFDXInkpM8.exePID: 5856, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: QFDXInkpM8.exePID: 5856, Parent PID: 2580COMMON

Non-executed Functions

Function 002E0D23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMON

Function 002E1512 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Function 002E3D01 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Windows Analysis Report
QFDXInkpM8.exe