Edit tour

Windows Analysis Report
NBhsazR1jn.exe

Overview

General Information

Sample name:	NBhsazR1jn.exe renamed because original name is a hash value
Original sample name:	5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc.exe
Analysis ID:	1466140
MD5:	9a5e25ebaa4cc2cd19b8461da0218120
SHA1:	95324fa5183097b528e2a0aa78e7e4a6dd7559d1
SHA256:	5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc
Tags:	exe
Infos:

Detection

Amadey

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

PE file contains section with special chars

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NBhsazR1jn.exe (PID: 6028 cmdline: "C:\Users\user\Desktop\NBhsazR1jn.exe" MD5: 9A5E25EBAA4CC2CD19B8461DA0218120)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NBhsazR1jn.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1403943303.0000000000761000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.NBhsazR1jn.exe.760000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.NBhsazR1jn.exe.760000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: NBhsazR1jn.exe

Malware Configuration Extractor: Amadey {"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}

Multi AV Scanner detection for submitted file

Source: NBhsazR1jn.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.2% probability

Machine Learning detection for sample

Source: NBhsazR1jn.exe

Joe Sandbox ML: detected

Source: NBhsazR1jn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 77.91.77.81

Source: Joe Sandbox View

IP Address: 77.91.77.81 77.91.77.81

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

System Summary

PE file contains section with special chars

Source: NBhsazR1jn.exe	Static PE information: section name:
Source: NBhsazR1jn.exe	Static PE information: section name: .idata
Source: NBhsazR1jn.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_007860A2	0_2_007860A2
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00769910	0_2_00769910
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00764AD0	0_2_00764AD0
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00764CD0	0_2_00764CD0
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00780D23	0_2_00780D23
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00781512	0_2_00781512
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00783D01	0_2_00783D01

Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: String function: 0077D852 appears 51 times
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: String function: 00777F00 appears 122 times

Source: NBhsazR1jn.exe

Static PE information: No import functions for PE file found

Source: NBhsazR1jn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.winEXE@1/0@0/1

Source: NBhsazR1jn.exe

ReversingLabs: Detection: 44%

Source: NBhsazR1jn.exe

Static file information: File size 4968448 > 1048576

Source: NBhsazR1jn.exe

Static PE information: Raw size of fonvwcns is bigger than: 0x100000 < 0x19f800

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: NBhsazR1jn.exe

Static PE information: real checksum: 0x1dcdea should be: 0x4cab37

Source: NBhsazR1jn.exe	Static PE information: section name:
Source: NBhsazR1jn.exe	Static PE information: section name: .idata
Source: NBhsazR1jn.exe	Static PE information: section name:
Source: NBhsazR1jn.exe	Static PE information: section name: fonvwcns
Source: NBhsazR1jn.exe	Static PE information: section name: ijaqkjlo
Source: NBhsazR1jn.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_0077D82C push ecx; ret	0_2_0077D83F
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_00771314 push ecx; retn 0000h	0_2_00771315
Source: C:\Users\user\Desktop\NBhsazR1jn.exe	Code function: 0_2_0077064F push ss; iretd	0_2_00770650

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NBhsazR1jn.exe

Code function: 0_2_0077DCA1 cpuid

0_2_0077DCA1

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: NBhsazR1jn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NBhsazR1jn.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NBhsazR1jn.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1403943303.0000000000761000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NBhsazR1jn.exe	45%	ReversingLabs
NBhsazR1jn.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.91.77.81	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466140
Start date and time:	2024-07-02 15:58:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NBhsazR1jn.exe renamed because original name is a hash value
Original Sample Name:	5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc.exe
Detection:	MAL
Classification:	mal80.troj.spyw.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target NBhsazR1jn.exe, PID 6028 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: NBhsazR1jn.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.91.77.81	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	SecuriteInfo.com.Win32.PWSX-gen.20622.25663.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	Wf9qnVcbi8.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81/Kiru9gu/index.php
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	77.91.77.81/stealc/random.exe
	Rnteb46TuM.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe
	8vZMEr8sm9.exe	Get hash	malicious	Amadey	Browse	77.91.77.81/stealc/random.exe
	1jPL5zru3u.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/mine/amadka.exe
	Zachv5lCuu.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81/stealc/random.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	QFDXInkpM8.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	https://drive.google.com/file/d/136ovnD62cwekGHQcz2rdHGNitd3tUNck/view?usp=sharing_eip_m&ts=6682d44d	Get hash	malicious	Unknown	Browse	77.91.77.5
	https://drive.google.com/file/d/1D-RSHnHV853uproVdm_FqLilvp6WEgCv/view?ts=6682d412	Get hash	malicious	Unknown	Browse	77.91.77.5
	SecuriteInfo.com.Win32.PWSX-gen.20622.25663.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	Wf9qnVcbi8.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, Stealc	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	77.91.77.80

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.5298324524026956
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NBhsazR1jn.exe
File size:	4'968'448 bytes
MD5:	9a5e25ebaa4cc2cd19b8461da0218120
SHA1:	95324fa5183097b528e2a0aa78e7e4a6dd7559d1
SHA256:	5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc
SHA512:	318ae2bb89bb89d38d3d154ccb176cfb2a1046fd64e7edd7fc8bb00e11b328e0ef87aa058da6310bf5ab89f249b7f11df0a612ededd16ecf11cc395e53e7ca7c
SSDEEP:	24576:3q0VHwOTRWZ8FpySKhm/FEYSzLQRJYyEwjCgGBd2xu2q:a05wkq8LuhmdEd0My5jCq
TLSH:	85360AA1790571CBD48E27789D2BDEC26D6D03F947254813A86CB4BF7E63CC12A97C28
File Content Preview:	MZ......................@............u.L................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xc1a000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x760000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x665ECF2A [Tue Jun 4 08:24:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a058	0x6c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b84f8	0x10	fonvwcns
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b84a8	0x18	fonvwcns
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	05a3654aa7ce6f22f3f4ae1559595941	False	0.498932718579235	data	6.523102093319678	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x69000	0x1e0	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ae000	0x200	bf619eac0cdf3f68d496ea9344137e8b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fonvwcns	0x319000	0x1a0000	0x19f800	89dc724b49d12d867c8616b289a43746	False	0.0018021162379663056	data	0.015179543220121524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ijaqkjlo	0x4b9000	0x1000	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ba000	0x3000	0x2200	d946c4e00b10be82f8d142f508ece41d	False	0.003561580882352941	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: NBhsazR1jn.exePID: 6028, Parent PID: 4084

General

Target ID:	0
Start time:	09:58:59
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\NBhsazR1jn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NBhsazR1jn.exe"
Imagebase:	0x760000
File size:	4'968'448 bytes
MD5 hash:	9A5E25EBAA4CC2CD19B8461DA0218120
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.1403943303.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: NBhsazR1jn.exePID: 6028, Parent PID: 4084COMMON

Non-executed Functions

Function 00780D23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00780E26
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00780E72

Part of subcall function 0078256D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00782660

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00780EDE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00780EFA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00780F4E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00780F7B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00780FD1

Strings

(, xrefs: 00780E32

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 4c32caa32039cc1972eebbe62de0b84385cf75abb6ded3cfddbb8b0d9fbd2f11
Instruction ID: 088eac45a962261aa186bd8fd72de845a29cdded873ac465bad1462db7c467fc
Opcode Fuzzy Hash: 4c32caa32039cc1972eebbe62de0b84385cf75abb6ded3cfddbb8b0d9fbd2f11
Instruction Fuzzy Hash: D8B19D70A40611EFCB28EF69D980A7EBBB4FF44300F24865DE9059B641D739BD91CB94

Function 00781512 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00782C0C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00782C1F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00781524

Part of subcall function 00782D1F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00782D49
Part of subcall function 00782D1F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00782DB8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00781656
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 007816B6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 007816C2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 007816FD
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0078171E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0078172A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00781733
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0078174B

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 3d0ea9b3cf8c23ce463b8703f88ac7a2e91a73145baa4050b9fccc04b5e49d1f
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: C0817A71B402259FCB18EF68C584A6DB7BAFF88304B5546ADD446AB702DB34ED52CB80

Function 00783D01 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

4, xrefs: 00783E9B

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction ID: 3ece431d02461d94b935185185d59e1e693d03231dc294888a91a1303949bc50
Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction Fuzzy Hash: 13611AB1E40215DFCB28DF59C580AAEB7B1BF48714F25856DD805A7305C738EE82CBA0

Function 00764CD0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1fb7befdc776d3fecd9b40c267cecda3383c6a4c26348c1dc25c8100221334
Instruction ID: b177d2e8a286884e4c5488773430a032806c283323df85f6414d4222ac878236
Opcode Fuzzy Hash: 9f1fb7befdc776d3fecd9b40c267cecda3383c6a4c26348c1dc25c8100221334
Instruction Fuzzy Hash: EA225FB3F515144BDB4CCA9DDCA27EDB3E3AFD8214B0E803DA40AE3345EA79D9158648

Function 00769910 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04384cbbd011e2c6e13c77403aaf9d2c801e41110f5ca59ab4dc2c6f4a4a3ea0
Instruction ID: 1f023918158a1576b06c35ae0c36717e8bbacfa861854f617d1ec6acd921fe97
Opcode Fuzzy Hash: 04384cbbd011e2c6e13c77403aaf9d2c801e41110f5ca59ab4dc2c6f4a4a3ea0
Instruction Fuzzy Hash: 4742C370A01248DBEF14EBB8C54D7DDBBB1AB15314F648248D812773C3D7B94A85DBA2

Function 00764AD0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8998d48d0a9a3db46a2e09f0382830a34a3ead3594ae5b876953077d40970050
Instruction ID: e9f21ba753bf3604fe5f5d89cecff699f1a8a903895d31cda71d70149cd264f2
Opcode Fuzzy Hash: 8998d48d0a9a3db46a2e09f0382830a34a3ead3594ae5b876953077d40970050
Instruction Fuzzy Hash: A151B4716087918FD359CF2D841563ABFE5BF85200F084A9EE4DA87292D778E904CB92

Function 0077DCA1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff5bd0299570e4c99486d0fd28ed5ff735f617fa679aa070a19f727275cc796
Instruction ID: 07b775f1dea2cda6727d426713c4d81fff6cbe30b875aa29f7d6561643e168d9
Opcode Fuzzy Hash: cff5bd0299570e4c99486d0fd28ed5ff735f617fa679aa070a19f727275cc796
Instruction Fuzzy Hash: 26517AB1E01605CBDF26CF98D885BAAB7F0FB58354F24C56AC419EB250D379AD80CB54

Function 0077EF38 Relevance: 19.7, APIs: 13, Instructions: 229COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0077F1CB

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID:
API String ID: 2141394445-0
Opcode ID: d10b139eb1d11950cf870a1dee1a52e0cf3bee48175fe23b14474e7f75c0249c
Instruction ID: c0d68c5c189ff320afd08a54bdcb36aa935838736b58deb982ec093f35251659
Opcode Fuzzy Hash: d10b139eb1d11950cf870a1dee1a52e0cf3bee48175fe23b14474e7f75c0249c
Instruction Fuzzy Hash: 1E81C331D00219DFCF24DFA8CA85BEEB7B1AF49394F14C469E409A7282D778AD45CB91

Function 00782742 Relevance: 15.2, APIs: 10, Instructions: 223COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00782786
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 007827EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00782823

Part of subcall function 007806FD: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0078071D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 007828A3
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 007828EB

Part of subcall function 007806D2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 007806EE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 007828FF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00782910
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0078295D
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 0078298E

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Affinity$Apply$Restrictions$InformationTopology$Restriction::$CleanupFindGroupLimits
String ID:
API String ID: 1321587334-0
Opcode ID: a6223aaebd27c0f40f8129a49f7191e9ed88a7a4a8564653a5fb3fdd55dbe454
Instruction ID: 10deb220b8ae584bb1516484a4a1668c0d6be450b8ec0fad037247f03fc9f61c
Opcode Fuzzy Hash: a6223aaebd27c0f40f8129a49f7191e9ed88a7a4a8564653a5fb3fdd55dbe454
Instruction Fuzzy Hash: 2981E431A80616DFCF08EF6AD8D097DBBB1BB58301B64812DD441A7642DB3D7986CB84

Function 007868EA Relevance: 15.1, APIs: 10, Instructions: 144COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0078692F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00786961
List.LIBCONCRT ref: 0078699C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 007869AD
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 007869C9
List.LIBCONCRT ref: 00786A04
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00786A15
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00786A30
List.LIBCONCRT ref: 00786A6B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00786A78

Part of subcall function 00785DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00785E07
Part of subcall function 00785DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00785E19

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 5b557d9a13e4c008fc229e8b999ba662f46963176eace82afc779e15435ebe8b
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: F0513371A40219EBDF08EF64C595BEDB3B8FF04344F148069E955AB281DB38BE45CB91

Function 0078E939 Relevance: 13.6, APIs: 9, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0078E989

Part of subcall function 00788E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00788E60

Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0078E9A2
Concurrency::location::_Assign.LIBCMT ref: 0078E9B8
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0078EA25
Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0078EA2D
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0078EA54
Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0078EA60
Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0078EAB7
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0078EAEC

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Context$Base::$Processor::QuickVirtual$ClearCountedEventInterlockedReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSchedulerSlotSpinTasksThrowTraceUntilVisible
String ID:
API String ID: 1448206229-0
Opcode ID: f147fc2462d6baf45ba2f6a4946b33d75adfe1c85e43b1a3533cf90d0567ccc9
Instruction ID: 39912c6b97c93ecbde3fe5a63252de228122dcfdcbcc63244230344a20265170
Opcode Fuzzy Hash: f147fc2462d6baf45ba2f6a4946b33d75adfe1c85e43b1a3533cf90d0567ccc9
Instruction Fuzzy Hash: 5F517F70740214DFDB04FF64C899BBD77A6BF49710F1840A9ED469B286CB78AD05CBA2

Function 007877F1 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00787813

Part of subcall function 00785BC8: __EH_prolog3_catch.LIBCMT ref: 00785BCF
Part of subcall function 00785BC8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00785C08

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0078783A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00787846

Part of subcall function 00785BC8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00785C80
Part of subcall function 00785BC8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00785C8E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00787892
Concurrency::location::_Assign.LIBCMT ref: 007878B3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 007878BB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 007878CD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 007878FD

Part of subcall function 0078682D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00786852
Part of subcall function 0078682D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00786875

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_ExerciseFoundH_prolog3_catchNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
String ID:
API String ID: 1475861073-0
Opcode ID: e9038ad7892f4e2c5a31be8a62e8a2821490d665d13bb00f55cd29dc64e8fb75
Instruction ID: e18f9d46ae93b2cc63f0c2ad0dfb8b61ed9fd14e17d1c08a614fa7019bd9f883
Opcode Fuzzy Hash: e9038ad7892f4e2c5a31be8a62e8a2821490d665d13bb00f55cd29dc64e8fb75
Instruction Fuzzy Hash: 29314730B88355ABCF1EBA78449A6FE7BB55F51300F2440A9D457D7242DB2CDC49C391

Function 00776C40 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00776D11
std::_Rethrow_future_exception.LIBCPMT ref: 00776D62
std::_Rethrow_future_exception.LIBCPMT ref: 00776D72
__Mtx_unlock.LIBCPMT ref: 00776E15
__Mtx_unlock.LIBCPMT ref: 00776F1B
__Mtx_unlock.LIBCPMT ref: 00776F56

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: 80591e14fd055d5399c7649604e73623bb34f9d8285a1610c22b8d1db0e45fce
Instruction ID: 288a1640a1f311b8d11f4b31404acc872422deeb78d8b17b19ad5315c97c8cad
Opcode Fuzzy Hash: 80591e14fd055d5399c7649604e73623bb34f9d8285a1610c22b8d1db0e45fce
Instruction Fuzzy Hash: 01C1F271A00B08DFDF25DF64C849BAEBBF4AF05344F00856EE91A97642DB79A904CB61

Function 0077ED6F Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0077EDCC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0077EDD8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0077EDF1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0077EE1F
Concurrency::Context::Block.LIBCONCRT ref: 0077EE41

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1182035702-0
Opcode ID: 48cace8fc271d81d5fdbcdda1903ad638a035666512c641c4b8119ce3ea8471b
Instruction ID: 688265b1acd3555f0289b498ccc7c20c945006a992b984a4c97193573a6f4d94
Opcode Fuzzy Hash: 48cace8fc271d81d5fdbcdda1903ad638a035666512c641c4b8119ce3ea8471b
Instruction Fuzzy Hash: E6218671D00205CAEF34DFB4C8496EEB7B0BF19390F2489A9F159A61D1E7B94A44CB91

Function 0078E6BF Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0078E6E7

Part of subcall function 0078E454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0078E487
Part of subcall function 0078E454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0078E4A9

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0078E764
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0078E77F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0078E789
Concurrency::location::_Assign.LIBCMT ref: 0078E7BD

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Virtual$Context$DeactivateProcessorProcessor::Scheduler$ActiveAssignCommitConcurrency::location::_EventInternalPointsReclaimSafeTraceTrigger
String ID:
API String ID: 3603393511-0
Opcode ID: 9e500add07b343e75214896478bb5714aed1490608cfef5d1b932701f3caa8df
Instruction ID: 30ec24a2889e5f35eea0bf3b5c8d4e576c26dce73eb8eebde0b1c3b4725deacc
Opcode Fuzzy Hash: 9e500add07b343e75214896478bb5714aed1490608cfef5d1b932701f3caa8df
Instruction Fuzzy Hash: 55412975A00205DFCF05EF64C498AADB7B5FF48350F2480A9ED499B382DB38A941CF91

Function 0077EBF6 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0077EBFD
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0077EC27

Part of subcall function 0077F2ED: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0077F30A

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0077ECA4
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0077ECD6
__freea.LIBCMT ref: 0077ECFC

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
String ID:
API String ID: 2497068736-0
Opcode ID: 0c7625a95bb330aa3c92f81ea090e85107e7633994dafdf291bf859f5e44f4de
Instruction ID: 4e6b7ca2b68b3203383d475110be0f3f94778def274ab33e3419ab05a53aec2e
Opcode Fuzzy Hash: 0c7625a95bb330aa3c92f81ea090e85107e7633994dafdf291bf859f5e44f4de
Instruction Fuzzy Hash: 73319E75E00205CFCF16DFA8C9455ADBBF5AF09390F6480AAE409E7341DB389E02CBA1

Function 0078D1C9 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0078D254
ListArray.LIBCONCRT ref: 0078D277
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0078D280
ListArray.LIBCONCRT ref: 0078D2B8
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0078D2C3

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ArrayListVirtual$ActiveAvailableBase::CountedInterlockedMakeProcessorProcessor::QuickReferenceSchedulerSet::
String ID:
API String ID: 4212520697-0
Opcode ID: 385e524c4453aa111b289915a58e7bc7a7622e706cfd155a5c3fc8ad3a8b16f7
Instruction ID: cff25f0018779ccf780097cb9c4c477b8b49af3240de5f9d83f28c8572abd39c
Opcode Fuzzy Hash: 385e524c4453aa111b289915a58e7bc7a7622e706cfd155a5c3fc8ad3a8b16f7
Instruction Fuzzy Hash: 7F318E75740210EFDB25EB54C888FAEB7A6BF88310F144199E8069B382DB78ED41CB91

Function 00787274 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 007872C0
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00787302
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0078731E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00787329
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00787350

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID:
API String ID: 3897347962-0
Opcode ID: 2138f18b6175a98a93ccb1ff646f016dadd5a385e43b2e89a981a882af75d151
Instruction ID: d5d6e1c207bb6d1c5264e77b5cf8e7a1274f794e846a106aed827d90c21aacb3
Opcode Fuzzy Hash: 2138f18b6175a98a93ccb1ff646f016dadd5a385e43b2e89a981a882af75d151
Instruction Fuzzy Hash: 5C217134A40209EFCF14EF94C999AADB7B5BF44350F6440A9E906A7391DB38EE04CB51

Function 00789BA5 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00789BAC
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00789BF8
std::bad_exception::bad_exception.LIBCMT ref: 00789C0E
Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 00789C50
std::bad_exception::bad_exception.LIBCMT ref: 00789C7A

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
String ID:
API String ID: 921398678-0
Opcode ID: ba54aeb8e8f970ca7b9afffa99494c7dd960a406fc747573b48972c1a60a42e2
Instruction ID: cbc178ce31b9d8d2eab52bf727f3d5c5c5288282eb6082c3b0536b7a229d4d2b
Opcode Fuzzy Hash: ba54aeb8e8f970ca7b9afffa99494c7dd960a406fc747573b48972c1a60a42e2
Instruction Fuzzy Hash: 012174B1940104DFDB05FFB4D94AEBDB7F4AF15310B244069F205AB252EB7AAD41CBA1

Function 00764590 Relevance: 6.7, Strings: 5, Instructions: 408COMMON

Download Yara Rule

Strings

</|, xrefs: 0076478D
</|, xrefs: 007647C3
</|, xrefs: 00764606
t0|, xrefs: 00764981
t0|, xrefs: 007649CB

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID:
String ID: </|$</|$</|$t0|$t0|
API String ID: 0-2464688324
Opcode ID: de7cf527068ac91f9cce72a67ecb6ba79f98ed312d3b62ed01b099391c12f18f
Instruction ID: 6764176919606b2d9d1b7cce4033815c6e315f4dd4135886ad69386a636c5ff0
Opcode Fuzzy Hash: de7cf527068ac91f9cce72a67ecb6ba79f98ed312d3b62ed01b099391c12f18f
Instruction Fuzzy Hash: 04E1E131A00248DFDB19CF68C885BAEBBB1FF59304F14825DE855A7392D77CA981CB50

Function 0078DA40 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0078DA74

Part of subcall function 00788E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00788E60

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0078DAD3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0078DAF9
Concurrency::location::_Assign.LIBCMT ref: 0078DB66

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$EventInternal$AssignBlockingConcurrency::location::_FindNestingPrepareThrowTraceWork
String ID:
API String ID: 1091748018-0
Opcode ID: 322356d2336d6c60004a1b319035490272715c404cbc44cf8c859c1fb6ff6ae4
Instruction ID: 9fdfe2dd3ab1c28442a9548618b6698c4db9df3599f738264d4b455d0e6a83a4
Opcode Fuzzy Hash: 322356d2336d6c60004a1b319035490272715c404cbc44cf8c859c1fb6ff6ae4
Instruction Fuzzy Hash: E841F2B0644210EBCF29BB28C89ABAEBB75AF44750F158099E4069B3C2CF389D45C7D1

Function 007855BF Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

_InternalDeleteHelper.LIBCONCRT ref: 00785602
_InternalDeleteHelper.LIBCONCRT ref: 00785636
Concurrency::details::SchedulerBase::TraceSchedulerEvent.LIBCMT ref: 0078569B
SafeRWList.LIBCONCRT ref: 007856AA

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternalScheduler$Base::Concurrency::details::EventListSafeTrace
String ID:
API String ID: 893951542-0
Opcode ID: 1f7e7302185a54103ba0ae7994863050a66fcda5bd5b1c02258a3542f369a234
Instruction ID: 9c04c0000cff92d282d83d8a30974db07d897c6e88d9f809fcd7b1be98b62486
Opcode Fuzzy Hash: 1f7e7302185a54103ba0ae7994863050a66fcda5bd5b1c02258a3542f369a234
Instruction Fuzzy Hash: 3E313B367415149FCF19AB20C849EADB7A6AFC8B40F148179D9069F345EF74AD05CB90

Function 00782C0C Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00782C1F

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: f9513e89261a61c53e7734fac6742e5e2ec3ccdb214baacc68db9454e8d483d8
Instruction ID: 6c5aebb8872056a9fc259c693b9dd8d5e8f874909f24e9d71570660437d47a49
Opcode Fuzzy Hash: f9513e89261a61c53e7734fac6742e5e2ec3ccdb214baacc68db9454e8d483d8
Instruction Fuzzy Hash: 71315975A40309DFCF10EF94C4C4BAEBBB9BB44311F1404AADD05AB247D775A946DBA0

Function 00789F36 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 00789F79

Part of subcall function 0078B470: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0078B4BF

Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00789F8F
Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00789FDB

Part of subcall function 0078AA51: List.LIBCONCRT ref: 0078AA87

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00789FEB

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$ExecutionHardware$AffinityAffinity::BorrowedCoreCountCurrentFixedIncrementListResourceResource::StateToggle
String ID:
API String ID: 932774601-0
Opcode ID: 5eb5e6bc6167eb0ccf8d45ca156d222cd9fa4e6d3da118cc95994055a942c0b6
Instruction ID: 4d97785d84ce61fa5e475a30e42a6e4b77fbc9472464de719f3c35abd5f93b55
Opcode Fuzzy Hash: 5eb5e6bc6167eb0ccf8d45ca156d222cd9fa4e6d3da118cc95994055a942c0b6
Instruction Fuzzy Hash: C621AC31600A14EFCB28EF64C9908BEB3F4FF48300700451EE546A7651DB78E905CBA1

Function 0078CFC7 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 0078CFD5
ListArray.LIBCONCRT ref: 0078CFE7

Part of subcall function 0078C5C2: _InternalDeleteHelper.LIBCONCRT ref: 0078C5D4

ListArray.LIBCONCRT ref: 0078CFF1
_InternalDeleteHelper.LIBCONCRT ref: 0078D00A

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 680bbcbbf701e77e1d72c575543dd70061e5836a099fe308faa3bac029143c6e
Instruction ID: 02e159cf550e68ee392a066bc9fddc9b4766030225ce896f9845e5d1c3823749
Opcode Fuzzy Hash: 680bbcbbf701e77e1d72c575543dd70061e5836a099fe308faa3bac029143c6e
Instruction Fuzzy Hash: 57012632380120FFCE36BB60CD8AE3D772ABF44710B004424F5049B642DB28EC225BB0

Function 00784795 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 007847A3
ListArray.LIBCONCRT ref: 007847B5

Part of subcall function 00785465: _InternalDeleteHelper.LIBCONCRT ref: 00785474

ListArray.LIBCONCRT ref: 007847BF
_InternalDeleteHelper.LIBCONCRT ref: 007847D8

Memory Dump Source

Source File: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2655492931.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2655611968.0000000000AB2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_NBhsazR1jn.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 564c44c76c4f7ec3a8d9df995f59114b680808e5faceebb644be078be2615baf
Instruction ID: 69be5b78dfd99e96e1a11297240de60559e3a4f202ed6999b8d8c8d70e9418cb
Opcode Fuzzy Hash: 564c44c76c4f7ec3a8d9df995f59114b680808e5faceebb644be078be2615baf
Instruction Fuzzy Hash: 26012671240522EFDE25BB60D8CAE6E7769BF45B11B041125F4049B512DB68AC618B90

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NBhsazR1jn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: NBhsazR1jn.exePID: 6028, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: NBhsazR1jn.exePID: 6028, Parent PID: 4084COMMON

Non-executed Functions

Function 00780D23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMON

Function 00781512 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Function 00783D01 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Windows Analysis Report
NBhsazR1jn.exe