Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 29, 2024, 3:19 p.m.	June 29, 2024, 3:38 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7858fdd5d237ed2531bb9d0ac0a756bc`
SHA256	`31673042a74bb2a476a12f2ff48eab634a6ce03b87072acd4da985fa65ff923c`
CRC32	`6A7FF964`
ssdeep	`49152:rcql3jagrOKjnLbc/mRVKDFR8H28fU0ZJ9j9ttoG7:r9Vhj0/qsDc269ZJP1`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

amadka.exe "C:\Users\test22\AppData\Local\Temp\amadka.exe"
2560
- explorti.exe "C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2836
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.77.81	Active	Moloch
77.91.77.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.91.77.82:80 -> 192.168.56.101:49164	2400007	ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack
TCP 192.168.56.101:49170 -> 77.91.77.82:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:19 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0
IsDebuggerPresent June 29, 2024, 3:20 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	xhpdljmg
section	mhhqwxed
section	.taggant

One or more processes crashed (50 out of 238 events)

Time & API	Arguments	Status
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: amadka+0x32d0b9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 3330233 exception.address: 0x12dd0b9 registers.esp: 3930196 registers.edi: 0 registers.eax: 1 registers.ebp: 3930212 registers.edx: 21540864 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 a1 57 63 64 89 04 24 57 53 exception.symbol: amadka+0x6da40 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 449088 exception.address: 0x101da40 registers.esp: 3930160 registers.edi: 16895369 registers.eax: 26006 registers.ebp: 4006916116 registers.edx: 16449536 registers.ebx: 1968898048 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 c7 04 24 d8 48 6b exception.symbol: amadka+0x6d78a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 448394 exception.address: 0x101d78a registers.esp: 3930164 registers.edi: 16921375 registers.eax: 26006 registers.ebp: 4006916116 registers.edx: 16449536 registers.ebx: 1968898048 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 56 89 2c 24 56 e9 fd 00 00 00 83 c0 04 87 04 exception.symbol: amadka+0x6cf86 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 446342 exception.address: 0x101cf86 registers.esp: 3930164 registers.edi: 16898651 registers.eax: 26006 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 240873 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 0b 05 00 00 8f 04 24 e9 ba fd ff ff 81 c6 exception.symbol: amadka+0x6e3d4 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 451540 exception.address: 0x101e3d4 registers.esp: 3930160 registers.edi: 16898651 registers.eax: 16900047 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 282942399 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 29 c9 52 e9 a1 ff ff ff 29 44 24 04 e9 81 01 exception.symbol: amadka+0x6e162 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 450914 exception.address: 0x101e162 registers.esp: 3930164 registers.edi: 16898651 registers.eax: 16931532 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 282942399 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 1d 69 b3 74 89 0c 24 c7 04 24 ed 01 fd 3c exception.symbol: amadka+0x6e0dc exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 450780 exception.address: 0x101e0dc registers.esp: 3930164 registers.edi: 1259 registers.eax: 16931532 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 282942399 registers.esi: 3 registers.ecx: 4294938324	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 4f d1 b8 46 89 04 24 89 3c 24 55 bd 71 c3 exception.symbol: amadka+0x1fd0c2 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2085058 exception.address: 0x11ad0c2 registers.esp: 3930164 registers.edi: 16935048 registers.eax: 25934 registers.ebp: 4006916116 registers.edx: 4294944060 registers.ebx: 18559175 registers.esi: 380905 registers.ecx: 843	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 56 89 1c 24 e9 be 02 00 00 52 e9 12 07 00 00 exception.symbol: amadka+0x1fedfc exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2092540 exception.address: 0x11aedfc registers.esp: 3930160 registers.edi: 0 registers.eax: 32332 registers.ebp: 4006916116 registers.edx: 18541838 registers.ebx: 18539370 registers.esi: 21446 registers.ecx: 96	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 4c ff d7 7d 50 e9 00 00 00 00 b8 exception.symbol: amadka+0x1ff899 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2095257 exception.address: 0x11af899 registers.esp: 3930164 registers.edi: 0 registers.eax: 32332 registers.ebp: 4006916116 registers.edx: 18574170 registers.ebx: 18539370 registers.esi: 21446 registers.ecx: 96	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 56 be 18 0d ff 5d 81 ce b7 50 fe 7a 51 b9 09 exception.symbol: amadka+0x1fedc4 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2092484 exception.address: 0x11aedc4 registers.esp: 3930164 registers.edi: 0 registers.eax: 32332 registers.ebp: 4006916116 registers.edx: 18545114 registers.ebx: 50665 registers.esi: 0 registers.ecx: 96	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 56 50 b8 ba e5 c9 7c 50 5e 58 68 e7 cf 97 59 exception.symbol: amadka+0x200e8a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2100874 exception.address: 0x11b0e8a registers.esp: 3930164 registers.edi: 0 registers.eax: 28591 registers.ebp: 4006916116 registers.edx: 1517482911 registers.ebx: 1530687045 registers.esi: 18576159 registers.ecx: 1017049904	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 57 e9 a5 00 00 00 81 ed 02 d9 32 25 89 ee 5d exception.symbol: amadka+0x200b0d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2099981 exception.address: 0x11b0b0d registers.esp: 3930164 registers.edi: 0 registers.eax: 0 registers.ebp: 4006916116 registers.edx: 1517482911 registers.ebx: 134889 registers.esi: 18550451 registers.ecx: 1017049904	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 0c 24 89 3c 24 53 exception.symbol: amadka+0x20d8b4 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2152628 exception.address: 0x11bd8b4 registers.esp: 3930156 registers.edi: 4206104 registers.eax: 1447909480 registers.ebp: 4006916116 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18579915 registers.ecx: 20	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: amadka+0x20d9bb exception.address: 0x11bd9bb exception.module: amadka.exe exception.exception_code: 0xc000001d exception.offset: 2152891 registers.esp: 3930156 registers.edi: 4206104 registers.eax: 1 registers.ebp: 4006916116 registers.edx: 22104 registers.ebx: 0 registers.esi: 18579915 registers.ecx: 20	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 40 2c 2d 12 01 exception.symbol: amadka+0x20da46 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2153030 exception.address: 0x11bda46 registers.esp: 3930156 registers.edi: 4206104 registers.eax: 1447909480 registers.ebp: 4006916116 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18579915 registers.ecx: 10	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 e9 81 03 00 00 ff 74 24 04 e9 a5 exception.symbol: amadka+0x210bed exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2165741 exception.address: 0x11c0bed registers.esp: 3930164 registers.edi: 4206104 registers.eax: 18646028 registers.ebp: 4006916116 registers.edx: 2130566132 registers.ebx: 45661780 registers.esi: 10 registers.ecx: 2129461248	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 e9 32 02 00 00 b9 76 bb ab 58 09 exception.symbol: amadka+0x210e60 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2166368 exception.address: 0x11c0e60 registers.esp: 3930164 registers.edi: 0 registers.eax: 18618088 registers.ebp: 4006916116 registers.edx: 6379 registers.ebx: 45661780 registers.esi: 10 registers.ecx: 2129461248	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 8b d7 6a 00 53 e8 03 00 00 00 20 5b exception.symbol: amadka+0x211b33 exception.instruction: int 1 exception.module: amadka.exe exception.exception_code: 0xc0000005 exception.offset: 2169651 exception.address: 0x11c1b33 registers.esp: 3930124 registers.edi: 0 registers.eax: 3930124 registers.ebp: 4006916116 registers.edx: 156 registers.ebx: 18619408 registers.esi: 248 registers.ecx: 248	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 c7 04 24 30 d8 3f 79 81 ec 04 00 exception.symbol: amadka+0x218a42 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2198082 exception.address: 0x11c8a42 registers.esp: 3930164 registers.edi: 18678947 registers.eax: 32274 registers.ebp: 4006916116 registers.edx: 372146888 registers.ebx: 182447122 registers.esi: 4294962194 registers.ecx: 18631122	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 68 b4 b7 76 79 5e exception.symbol: amadka+0x2191a9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2199977 exception.address: 0x11c91a9 registers.esp: 3930164 registers.edi: 18649659 registers.eax: 32274 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 182447122 registers.esi: 4294962194 registers.ecx: 3008854	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 b4 06 00 00 33 34 24 e9 44 fd ff ff b9 04 exception.symbol: amadka+0x221b1c exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2235164 exception.address: 0x11d1b1c registers.esp: 3930160 registers.edi: 16892910 registers.eax: 26744 registers.ebp: 4006916116 registers.edx: 6 registers.ebx: 45662002 registers.esi: 1968968720 registers.ecx: 18683051	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 57 50 e9 7a 01 00 00 89 34 24 e9 bf fa ff ff exception.symbol: amadka+0x221c24 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2235428 exception.address: 0x11d1c24 registers.esp: 3930164 registers.edi: 604277074 registers.eax: 26744 registers.ebp: 4006916116 registers.edx: 6 registers.ebx: 45662002 registers.esi: 4294943944 registers.ecx: 18709795	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 55 50 50 89 14 24 e9 3a 03 00 00 83 c6 01 e9 exception.symbol: amadka+0x223ee2 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2244322 exception.address: 0x11d3ee2 registers.esp: 3930160 registers.edi: 604277074 registers.eax: 26334 registers.ebp: 4006916116 registers.edx: 18692311 registers.ebx: 2137160064 registers.esi: 4294943944 registers.ecx: 406075282	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 60 06 00 00 bf 41 ac e9 71 89 fa 8b 3c 24 exception.symbol: amadka+0x223c2f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2243631 exception.address: 0x11d3c2f registers.esp: 3930164 registers.edi: 604277074 registers.eax: 26334 registers.ebp: 4006916116 registers.edx: 18718645 registers.ebx: 2137160064 registers.esi: 4294943944 registers.ecx: 406075282	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 50 68 a4 bd 41 7a ff 34 24 8b 04 24 56 54 5e exception.symbol: amadka+0x224397 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2245527 exception.address: 0x11d4397 registers.esp: 3930164 registers.edi: 4294943964 registers.eax: 26334 registers.ebp: 4006916116 registers.edx: 18718645 registers.ebx: 2137160064 registers.esi: 223721 registers.ecx: 406075282	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 05 01 00 00 83 c4 04 52 89 f2 89 d3 5a 5e exception.symbol: amadka+0x22883f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2263103 exception.address: 0x11d883f registers.esp: 3930156 registers.edi: 4294943964 registers.eax: 18743537 registers.ebp: 4006916116 registers.edx: 18718645 registers.ebx: 2137160064 registers.esi: 223721 registers.ecx: 18718645	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 4d 3c fd 5e e9 c2 01 00 00 89 3c exception.symbol: amadka+0x2282ed exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2261741 exception.address: 0x11d82ed registers.esp: 3930156 registers.edi: 4294943964 registers.eax: 18714041 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 2137160064 registers.esi: 223721 registers.ecx: 9365840	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 12 ff ff ff b8 e6 2d 7d 6c 31 c2 e9 0f 02 exception.symbol: amadka+0x235c7d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2317437 exception.address: 0x11e5c7d registers.esp: 3930156 registers.edi: 18797900 registers.eax: 4294938804 registers.ebp: 4006916116 registers.edx: 2130566132 registers.ebx: 18755820 registers.esi: 3887958880 registers.ecx: 2129464858	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 57 e9 e7 00 00 00 52 50 52 ba a5 18 f7 7e b8 exception.symbol: amadka+0x24b11a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2404634 exception.address: 0x11fb11a registers.esp: 3930124 registers.edi: 59731 registers.eax: 27369 registers.ebp: 4006916116 registers.edx: 18879366 registers.ebx: 4294942528 registers.esi: 18823616 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 28 07 00 00 81 eb c7 3d 7f 4b 81 f3 53 14 exception.symbol: amadka+0x24b6a5 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2406053 exception.address: 0x11fb6a5 registers.esp: 3930120 registers.edi: 18854929 registers.eax: 28848 registers.ebp: 4006916116 registers.edx: 144003227 registers.ebx: 4294942528 registers.esi: 18823616 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 00 ea 5d 72 89 2c 24 e9 35 ff ff ff 89 04 exception.symbol: amadka+0x24bc44 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2407492 exception.address: 0x11fbc44 registers.esp: 3930124 registers.edi: 18883777 registers.eax: 4294941108 registers.ebp: 4006916116 registers.edx: 2298801283 registers.ebx: 4294942528 registers.esi: 18823616 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 50 51 e9 d4 00 00 00 89 2c 24 89 1c 24 ff 74 exception.symbol: amadka+0x24c13e exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2408766 exception.address: 0x11fc13e registers.esp: 3930124 registers.edi: 18883777 registers.eax: 18860925 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 4294942528 registers.esi: 1358981728 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 9a fa ff ff 81 ea 5e 89 bf 3f c1 e2 08 e9 exception.symbol: amadka+0x24dadc exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2415324 exception.address: 0x11fdadc registers.esp: 3930124 registers.edi: 18883777 registers.eax: 18890822 registers.ebp: 4006916116 registers.edx: 2011085970 registers.ebx: 1862697728 registers.esi: 1358981728 registers.ecx: 1989668320	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 89 3c 24 56 89 e6 exception.symbol: amadka+0x24daaf exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2415279 exception.address: 0x11fdaaf registers.esp: 3930124 registers.edi: 18883777 registers.eax: 18890822 registers.ebp: 4006916116 registers.edx: 2011085970 registers.ebx: 4294942348 registers.esi: 911699 registers.ecx: 1989668320	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 56 c6 5b 6e 89 1c 24 89 e3 81 c3 04 00 00 exception.symbol: amadka+0x251c66 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2432102 exception.address: 0x1201c66 registers.esp: 3930124 registers.edi: 18883777 registers.eax: 24811 registers.ebp: 4006916116 registers.edx: 18883680 registers.ebx: 0 registers.esi: 911699 registers.ecx: 1971716238	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 bc 93 4e 7f e9 30 f6 ff ff b8 0b exception.symbol: amadka+0x2553c0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2446272 exception.address: 0x12053c0 registers.esp: 3930124 registers.edi: 18883777 registers.eax: 18923798 registers.ebp: 4006916116 registers.edx: 1789758642 registers.ebx: 621933139 registers.esi: 911699 registers.ecx: 494505815	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 b2 0c f7 5b 81 0c 24 8f 3a fa 2f exception.symbol: amadka+0x254fa7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2445223 exception.address: 0x1204fa7 registers.esp: 3930124 registers.edi: 0 registers.eax: 18896346 registers.ebp: 4006916116 registers.edx: 1789758642 registers.ebx: 3939837675 registers.esi: 911699 registers.ecx: 494505815	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 50 b8 e4 98 cf 7d 0d d1 6d e1 6b e9 c5 ff ff exception.symbol: amadka+0x255f26 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2449190 exception.address: 0x1205f26 registers.esp: 3930120 registers.edi: 18918520 registers.eax: 28396 registers.ebp: 4006916116 registers.edx: 1789766776 registers.ebx: 3939837676 registers.esi: 18897794 registers.ecx: 1536	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 57 51 68 de 2f 6a 71 89 3c 24 53 bb da 1e ce exception.symbol: amadka+0x255e0f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2448911 exception.address: 0x1205e0f registers.esp: 3930124 registers.edi: 4294941564 registers.eax: 3921906003 registers.ebp: 4006916116 registers.edx: 1789766776 registers.ebx: 3939837676 registers.esi: 18926190 registers.ecx: 1536	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 55 68 20 ce f8 7f e9 22 ff ff ff bd c6 00 fc exception.symbol: amadka+0x25c067 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2474087 exception.address: 0x120c067 registers.esp: 3930120 registers.edi: 4294941564 registers.eax: 28468 registers.ebp: 4006916116 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18901882 registers.ecx: 18921236	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 31 ff e9 64 ff ff ff 5e 5d e9 d3 00 00 00 89 exception.symbol: amadka+0x25bb24 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2472740 exception.address: 0x120bb24 registers.esp: 3930124 registers.edi: 4294941564 registers.eax: 28468 registers.ebp: 4006916116 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18901882 registers.ecx: 18949704	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb b9 0c c5 b7 3d c1 e9 01 c1 e1 05 50 c7 04 24 exception.symbol: amadka+0x25bc13 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2472979 exception.address: 0x120bc13 registers.esp: 3930124 registers.edi: 4294941280 registers.eax: 28468 registers.ebp: 4006916116 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 940854632 registers.ecx: 18949704	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 53 57 c7 04 24 ba 7f cb 4c 89 2c 24 52 51 b9 exception.symbol: amadka+0x274f96 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2576278 exception.address: 0x1224f96 registers.esp: 3930124 registers.edi: 2819563112 registers.eax: 19052803 registers.ebp: 4006916116 registers.edx: 4294940724 registers.ebx: 1971716070 registers.esi: 18978556 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 c4 84 bf 5a e9 36 01 00 00 5f 81 exception.symbol: amadka+0x27c674 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2606708 exception.address: 0x122c674 registers.esp: 3930124 registers.edi: 4025935669 registers.eax: 28647 registers.ebp: 4006916116 registers.edx: 1564648 registers.ebx: 4025939775 registers.esi: 19083201 registers.ecx: 2129461248	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 57 c7 04 24 3c bb 4a 5b 5d 83 ec exception.symbol: amadka+0x27c773 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2606963 exception.address: 0x122c773 registers.esp: 3930124 registers.edi: 4025935669 registers.eax: 2179369302 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 4025939775 registers.esi: 19057245 registers.ecx: 2129461248	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb e9 75 00 00 00 50 55 89 cd 89 e8 8b 2c 24 83 exception.symbol: amadka+0x289d54 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2661716 exception.address: 0x1239d54 registers.esp: 3930124 registers.edi: 18801165 registers.eax: 29517 registers.ebp: 4006916116 registers.edx: 108 registers.ebx: 1898693009 registers.esi: 19138605 registers.ecx: 109	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 1d 2b 4d 40 89 14 24 ba 39 84 d5 26 f7 da exception.symbol: amadka+0x2896d1 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2660049 exception.address: 0x12396d1 registers.esp: 3930124 registers.edi: 2298801283 registers.eax: 29517 registers.ebp: 4006916116 registers.edx: 108 registers.ebx: 1898693009 registers.esi: 19111993 registers.ecx: 0	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 81 c6 b1 d0 ef 77 e9 9a 03 00 00 43 e9 28 02 exception.symbol: amadka+0x29185d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2693213 exception.address: 0x124185d registers.esp: 3930120 registers.edi: 18801165 registers.eax: 30900 registers.ebp: 4006916116 registers.edx: 11 registers.ebx: 19113451 registers.esi: 19141945 registers.ecx: 12	1
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: fb 68 76 29 4f 68 e9 d2 fe ff ff 81 c5 04 00 00 exception.symbol: amadka+0x291b15 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2693909 exception.address: 0x1241b15 registers.esp: 3930124 registers.edi: 18801165 registers.eax: 30900 registers.ebp: 4006916116 registers.edx: 0 registers.ebx: 2298801283 registers.esi: 19144937 registers.ecx: 12	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://77.91.77.82/Hun4Ko/index.php

Performs some HTTP requests (1 event)

request

POST http://77.91.77.82/Hun4Ko/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.77.82/Hun4Ko/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:20 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01071000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 29, 2024, 3:19 p.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorti.exe tried to sleep 1133 seconds, actually delayed analysis time by 1133 seconds

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 29, 2024, 3:19 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.985036352305697, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98503635231

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ac400', u'virtual_address': u'0x0032d000', u'entropy': 7.953290178080023, u'name': u'xhpdljmg', u'virtual_size': u'0x001ad000'}

entropy

7.95329017808

description

A section with a high entropy has been found

entropy

0.994231777661

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	77.91.77.81
host	77.91.77.82

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 355 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 29, 2024, 3:19 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\explorti.job

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 29, 2024, 3:19 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 0c 24 89 3c 24 53 exception.symbol: amadka+0x20d8b4 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2152628 exception.address: 0x11bd8b4 registers.esp: 3930156 registers.edi: 4206104 registers.eax: 1447909480 registers.ebp: 4006916116 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18579915 registers.ecx: 20	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Rising	Trojan.Generic@AI.100 (RDMK:cmRtazqBkeFJQ2BYAfCh26Wm+npM)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!7858FDD5D237
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.7858fdd5d237ed25
Sophos	Generic ML PUA (PUA)
Avira	TR/Crypt.TPM.Gen
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36808.3DWaaGbOPYci
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
SentinelOne	Static AI - Malicious PE
AVG	Win32:Evo-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

77.91.77.81:80

amadka.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All