Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 7, 2024, 7:01 p.m.	July 7, 2024, 7:07 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`29af55c68d51c9ef3c35850bec56664d`
SHA256	`c4e0af18aa1069ff5e0468ed2c5b0e08b3cf453752ca73f59a88223d72a8d20e`
CRC32	`EEA04C75`
ssdeep	`49152:M+f8i6m4axMrP/NDavx27Zyz7wCkP/PsPKLkBO3iJMBBwjxOT:Mi8baxMrP/NYoZyz7wJ/PsE/3wg`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

amadka.exe "C:\Users\test22\AppData\Local\Temp\amadka.exe"
2560
- explorti.exe "C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2824
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.91.77.81	Active	Moloch
77.91.77.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.91.77.82:80 -> 192.168.56.101:49170	2400007	ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack
TCP 192.168.56.101:49170 -> 77.91.77.82:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:01 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:02 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0
IsDebuggerPresent July 7, 2024, 7:03 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	ardsdpuc
section	iyggtkqf
section	.taggant

One or more processes crashed (50 out of 218 events)

Time & API	Arguments	Status
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: amadka+0x3150b9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 3231929 exception.address: 0x13350b9 registers.esp: 3341656 registers.edi: 0 registers.eax: 1 registers.ebp: 3341672 registers.edx: 21856256 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 16 ff 34 24 ff 34 24 59 e9 37 fe exception.symbol: amadka+0x6cf2e exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 446254 exception.address: 0x108cf2e registers.esp: 3341624 registers.edi: 1968898280 registers.eax: 29276 registers.ebp: 4007374868 registers.edx: 16908288 registers.ebx: 945257825 registers.esi: 17383361 registers.ecx: 1969094656	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 83 e9 04 87 0c 24 exception.symbol: amadka+0x6d646 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 448070 exception.address: 0x108d646 registers.esp: 3341624 registers.edi: 1968898280 registers.eax: 29276 registers.ebp: 4007374868 registers.edx: 4294940640 registers.ebx: 945257825 registers.esi: 17383361 registers.ecx: 236777	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 68 f5 17 00 00 e9 00 00 00 00 ff 34 24 ff 34 exception.symbol: amadka+0x6e711 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 452369 exception.address: 0x108e711 registers.esp: 3341624 registers.edi: 1968898280 registers.eax: 27795 registers.ebp: 4007374868 registers.edx: 981229228 registers.ebx: 1300214765 registers.esi: 17383361 registers.ecx: 17385865	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 68 ab 4d 3f 32 89 04 24 56 e9 ac ff ff ff exception.symbol: amadka+0x6df13 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 450323 exception.address: 0x108df13 registers.esp: 3341624 registers.edi: 1968898280 registers.eax: 0 registers.ebp: 4007374868 registers.edx: 981229228 registers.ebx: 1259 registers.esi: 17383361 registers.ecx: 17361333	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 b9 96 de f7 74 e9 ac fe ff ff 89 e3 81 c3 exception.symbol: amadka+0x1e59cf exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 1989071 exception.address: 0x12059cf registers.esp: 3341620 registers.edi: 17394595 registers.eax: 30390 registers.ebp: 4007374868 registers.edx: 2345 registers.ebx: 425984 registers.esi: 18895185 registers.ecx: 2134376448	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 e9 00 00 00 00 56 c7 04 24 85 bd 9b 71 5a exception.symbol: amadka+0x1e5a2f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 1989167 exception.address: 0x1205a2f registers.esp: 3341624 registers.edi: 2179434839 registers.eax: 0 registers.ebp: 4007374868 registers.edx: 2345 registers.ebx: 425984 registers.esi: 18898963 registers.ecx: 2134376448	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 b4 f9 ff ff 83 ec 04 89 04 24 b8 67 60 4f exception.symbol: amadka+0x1ec22a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2015786 exception.address: 0x120c22a registers.esp: 3341624 registers.edi: 18919543 registers.eax: 18951240 registers.ebp: 4007374868 registers.edx: 52992 registers.ebx: 18919543 registers.esi: 18898802 registers.ecx: 60000	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 e9 98 00 00 00 29 d1 e9 54 fe ff ff 59 e9 exception.symbol: amadka+0x1ebe23 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2014755 exception.address: 0x120be23 registers.esp: 3341624 registers.edi: 0 registers.eax: 18924372 registers.ebp: 4007374868 registers.edx: 52992 registers.ebx: 18919543 registers.esi: 18898802 registers.ecx: 1259	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 53 89 e3 81 c3 04 exception.symbol: amadka+0x1ef2c8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2028232 exception.address: 0x120f2c8 registers.esp: 3341624 registers.edi: 134889 registers.eax: 18937612 registers.ebp: 4007374868 registers.edx: 52992 registers.ebx: 0 registers.esi: 18898802 registers.ecx: 1969148396	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 0c exception.symbol: amadka+0x1f55f7 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2053623 exception.address: 0x12155f7 registers.esp: 3341616 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4007374868 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18956855 registers.ecx: 20	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: amadka+0x1f7498 exception.address: 0x1217498 exception.module: amadka.exe exception.exception_code: 0xc000001d exception.offset: 2061464 registers.esp: 3341616 registers.edi: 134889 registers.eax: 1 registers.ebp: 4007374868 registers.edx: 22104 registers.ebx: 0 registers.esi: 18956855 registers.ecx: 20	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 a6 27 2d 12 01 exception.symbol: amadka+0x1f67ed exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2058221 exception.address: 0x12167ed registers.esp: 3341616 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4007374868 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18956855 registers.ecx: 10	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 81 ee c5 0f d6 7a 03 34 24 57 52 53 c7 04 24 exception.symbol: amadka+0x1fd1cc exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2085324 exception.address: 0x121d1cc registers.esp: 3341620 registers.edi: 134889 registers.eax: 32686 registers.ebp: 4007374868 registers.edx: 2130566132 registers.ebx: 31261296 registers.esi: 18991795 registers.ecx: 2134376448	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 56 be d3 fc 27 7e e9 4d fd ff ff exception.symbol: amadka+0x1fcec2 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2084546 exception.address: 0x121cec2 registers.esp: 3341624 registers.edi: 134889 registers.eax: 32686 registers.ebp: 4007374868 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 18994865 registers.ecx: 6379	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 f8 60 81 e0 6f 67 c2 74 e8 0b 00 00 exception.symbol: amadka+0x1fdb00 exception.instruction: int 1 exception.module: amadka.exe exception.exception_code: 0xc0000005 exception.offset: 2087680 exception.address: 0x121db00 registers.esp: 3341584 registers.edi: 0 registers.eax: 3341584 registers.ebp: 4007374868 registers.edx: 1862128473 registers.ebx: 18996224 registers.esi: 42317 registers.ecx: 56320	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 ba 16 7d fe 6f f7 da 81 ea ca b2 0d 18 e9 exception.symbol: amadka+0x20c2e1 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2147041 exception.address: 0x122c2e1 registers.esp: 3341620 registers.edi: 17349122 registers.eax: 27491 registers.ebp: 4007374868 registers.edx: 6 registers.ebx: 31261518 registers.esi: 1968968720 registers.ecx: 19054889	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 68 51 ee 0c 29 89 04 24 89 14 24 c7 04 24 81 exception.symbol: amadka+0x20c5f1 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2147825 exception.address: 0x122c5f1 registers.esp: 3341624 registers.edi: 17349122 registers.eax: 27491 registers.ebp: 4007374868 registers.edx: 0 registers.ebx: 3923872081 registers.esi: 1968968720 registers.ecx: 19057816	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 6a fe ff ff 57 bf e3 cb 29 72 81 e9 2d 85 exception.symbol: amadka+0x20d25f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2151007 exception.address: 0x122d25f registers.esp: 3341620 registers.edi: 17349122 registers.eax: 19058293 registers.ebp: 4007374868 registers.edx: 0 registers.ebx: 479026537 registers.esi: 1968968720 registers.ecx: 19057816	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 75 9d 35 5b 89 1c 24 e9 d7 06 00 exception.symbol: amadka+0x20cf98 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2150296 exception.address: 0x122cf98 registers.esp: 3341624 registers.edi: 17349122 registers.eax: 19090103 registers.ebp: 4007374868 registers.edx: 0 registers.ebx: 479026537 registers.esi: 1968968720 registers.ecx: 19057816	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 52 ba 04 00 00 00 01 d1 5a 83 e9 04 exception.symbol: amadka+0x20d301 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2151169 exception.address: 0x122d301 registers.esp: 3341624 registers.edi: 191465 registers.eax: 19090103 registers.ebp: 4007374868 registers.edx: 4294938212 registers.ebx: 479026537 registers.esi: 1968968720 registers.ecx: 19057816	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 68 90 98 11 2b 89 0c 24 c7 04 24 57 ff ab 5d exception.symbol: amadka+0x2101b7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2163127 exception.address: 0x12301b7 registers.esp: 3341624 registers.edi: 191465 registers.eax: 27707 registers.ebp: 4007374868 registers.edx: 1487180135 registers.ebx: 19098828 registers.esi: 1968968720 registers.ecx: 1487180135	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 50 89 34 24 89 1c 24 89 0c 24 51 89 1c 24 bb exception.symbol: amadka+0x210473 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2163827 exception.address: 0x1230473 registers.esp: 3341624 registers.edi: 191465 registers.eax: 27707 registers.ebp: 4007374868 registers.edx: 1179202795 registers.ebx: 19073736 registers.esi: 0 registers.ecx: 1487180135	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 57 e9 d4 fe ff ff 81 c7 4a f1 4e 65 81 f7 8b exception.symbol: amadka+0x213e76 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2178678 exception.address: 0x1233e76 registers.esp: 3341616 registers.edi: 19112941 registers.eax: 27650 registers.ebp: 4007374868 registers.edx: 944850847 registers.ebx: 84201 registers.esi: 0 registers.ecx: 4294942036	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 02 ff 34 24 ff 34 24 5e 52 89 e2 exception.symbol: amadka+0x236735 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2320181 exception.address: 0x1256735 registers.esp: 3341584 registers.edi: 0 registers.eax: 27875 registers.ebp: 4007374868 registers.edx: 19255719 registers.ebx: 1769528282 registers.esi: 19222715 registers.ecx: 2134376448	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 50 b8 a5 26 17 7d 05 1c 33 ba 90 89 c1 e9 40 exception.symbol: amadka+0x2368d9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2320601 exception.address: 0x12568d9 registers.esp: 3341584 registers.edi: 0 registers.eax: 4294941924 registers.ebp: 4007374868 registers.edx: 19255719 registers.ebx: 1769528282 registers.esi: 176855400 registers.ecx: 2134376448	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 ba d6 ba 13 7f 81 c3 26 a8 ef 56 81 eb 67 exception.symbol: amadka+0x23897c exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2328956 exception.address: 0x125897c registers.esp: 3341580 registers.edi: 0 registers.eax: 28252 registers.ebp: 4007374868 registers.edx: 19255719 registers.ebx: 19236401 registers.esi: 196090030 registers.ecx: 38490349	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 6e 0b 00 00 2d e0 12 f7 43 e9 8d exception.symbol: amadka+0x238666 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2328166 exception.address: 0x1258666 registers.esp: 3341584 registers.edi: 0 registers.eax: 28252 registers.ebp: 4007374868 registers.edx: 19255719 registers.ebx: 19264653 registers.esi: 196090030 registers.ecx: 38490349	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 d1 ff ff ff 81 e3 64 a8 3c 3c e9 93 06 00 exception.symbol: amadka+0x2387e9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2328553 exception.address: 0x12587e9 registers.esp: 3341584 registers.edi: 4294942344 registers.eax: 2179303765 registers.ebp: 4007374868 registers.edx: 19255719 registers.ebx: 19264653 registers.esi: 196090030 registers.ecx: 38490349	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 5d 02 00 00 53 54 5b 57 bf 9f f0 f3 35 f7 exception.symbol: amadka+0x2395da exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2332122 exception.address: 0x12595da registers.esp: 3341584 registers.edi: 4294942344 registers.eax: 19267625 registers.ebp: 4007374868 registers.edx: 4294942828 registers.ebx: 8579411 registers.esi: 196090030 registers.ecx: 910033646	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 e8 fb ff ff 09 df 5b f7 d7 e9 34 00 00 00 exception.symbol: amadka+0x23aa84 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2337412 exception.address: 0x125aa84 registers.esp: 3341580 registers.edi: 19243551 registers.eax: 27129 registers.ebp: 4007374868 registers.edx: 4294942828 registers.ebx: 2034931097 registers.esi: 196090030 registers.ecx: 1699965335	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 68 5b 75 3a 36 89 04 24 c7 04 24 8e 2d 09 30 exception.symbol: amadka+0x23a3ff exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2335743 exception.address: 0x125a3ff registers.esp: 3341584 registers.edi: 19270680 registers.eax: 27129 registers.ebp: 4007374868 registers.edx: 4294942828 registers.ebx: 4294942808 registers.esi: 1459645024 registers.ecx: 1699965335	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 1e ff ff ff c1 ee 01 e9 32 fe ff ff exception.symbol: amadka+0x23b909 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2341129 exception.address: 0x125b909 registers.esp: 3341584 registers.edi: 19276499 registers.eax: 27553 registers.ebp: 4007374868 registers.edx: 627350324 registers.ebx: 4294942808 registers.esi: 1979967680 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 56 e9 30 fe ff ff f7 d5 55 ff 74 24 04 e9 3c exception.symbol: amadka+0x23b9c8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2341320 exception.address: 0x125b9c8 registers.esp: 3341584 registers.edi: 19276499 registers.eax: 4294942632 registers.ebp: 4007374868 registers.edx: 627350324 registers.ebx: 2298801283 registers.esi: 1979967680 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 56 e9 0a 00 00 00 be f7 42 d3 7f e9 exception.symbol: amadka+0x23ffad exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2359213 exception.address: 0x125ffad registers.esp: 3341584 registers.edi: 19270309 registers.eax: 26451 registers.ebp: 4007374868 registers.edx: 19266425 registers.ebx: 0 registers.esi: 1979967680 registers.ecx: 74473	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 95 3d fe 1b 89 34 24 89 2c 24 83 exception.symbol: amadka+0x242c70 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2370672 exception.address: 0x1262c70 registers.esp: 3341584 registers.edi: 19270309 registers.eax: 0 registers.ebp: 4007374868 registers.edx: 157417 registers.ebx: 1073448776 registers.esi: 19280422 registers.ecx: 2079146249	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 53 54 5b 81 c3 04 00 00 00 81 eb 04 00 00 00 exception.symbol: amadka+0x244cea exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2378986 exception.address: 0x1264cea registers.esp: 3341584 registers.edi: 19316276 registers.eax: 31815 registers.ebp: 4007374868 registers.edx: 19282185 registers.ebx: 38917088 registers.esi: 1823688775 registers.ecx: 3343528867	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb b8 96 5b f9 6e 31 f8 e9 00 00 00 00 31 c7 31 exception.symbol: amadka+0x244c02 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2378754 exception.address: 0x1264c02 registers.esp: 3341584 registers.edi: 19287732 registers.eax: 31815 registers.ebp: 4007374868 registers.edx: 19282185 registers.ebx: 38917088 registers.esi: 3404289109 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 13 e9 7b 03 00 00 09 d7 e9 14 fc exception.symbol: amadka+0x25b5b8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2471352 exception.address: 0x127b5b8 registers.esp: 3341584 registers.edi: 19357301 registers.eax: 28697 registers.ebp: 4007374868 registers.edx: 2130566132 registers.ebx: 19407021 registers.esi: 19309565 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 53 83 ec 04 e9 0a 01 00 00 01 f5 8b 34 24 81 exception.symbol: amadka+0x25b705 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2471685 exception.address: 0x127b705 registers.esp: 3341584 registers.edi: 19357301 registers.eax: 28697 registers.ebp: 4007374868 registers.edx: 4294941540 registers.ebx: 19407021 registers.esi: 19309565 registers.ecx: 59729	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 55 55 c7 04 24 71 84 57 3f 81 34 24 68 a2 11 exception.symbol: amadka+0x25c4b4 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2475188 exception.address: 0x127c4b4 registers.esp: 3341584 registers.edi: 19357301 registers.eax: 26947 registers.ebp: 4007374868 registers.edx: 19408564 registers.ebx: 74779251 registers.esi: 19309565 registers.ecx: 59729	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 56 68 00 a9 ea 7f 5e e9 8e fd ff ff 81 c5 exception.symbol: amadka+0x25c5f3 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2475507 exception.address: 0x127c5f3 registers.esp: 3341584 registers.edi: 19357301 registers.eax: 20572496 registers.ebp: 4007374868 registers.edx: 19385284 registers.ebx: 74779251 registers.esi: 19309565 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 5c fd ff ff 29 d0 05 4f a1 fb 7d 8b 14 24 exception.symbol: amadka+0x26864c exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2524748 exception.address: 0x128864c registers.esp: 3341584 registers.edi: 19411095 registers.eax: 29218 registers.ebp: 4007374868 registers.edx: 0 registers.ebx: 4022039805 registers.esi: 19434566 registers.ecx: 3914420816	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 81 c2 54 55 ff 6f 57 e9 d0 fb ff ff 81 c4 04 exception.symbol: amadka+0x2705ff exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2557439 exception.address: 0x12905ff registers.esp: 3341580 registers.edi: 0 registers.eax: 29354 registers.ebp: 4007374868 registers.edx: 19464062 registers.ebx: 19441746 registers.esi: 4243720 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 e9 b6 fa ff ff 51 exception.symbol: amadka+0x270644 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2557508 exception.address: 0x1290644 registers.esp: 3341584 registers.edi: 0 registers.eax: 29354 registers.ebp: 4007374868 registers.edx: 19493416 registers.ebx: 19441746 registers.esi: 4243720 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 53 55 bd 97 bd 7e 67 52 ba 3b 34 bb 1f 4a e9 exception.symbol: amadka+0x270bec exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2558956 exception.address: 0x1290bec registers.esp: 3341584 registers.edi: 0 registers.eax: 322689 registers.ebp: 4007374868 registers.edx: 19467260 registers.ebx: 19441746 registers.esi: 4243720 registers.ecx: 0	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb e9 1a 01 00 00 81 f2 4a 06 38 08 89 d6 8b 14 exception.symbol: amadka+0x27f3d5 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2618325 exception.address: 0x129f3d5 registers.esp: 3341580 registers.edi: 0 registers.eax: 26561 registers.ebp: 4007374868 registers.edx: 11 registers.ebx: 19496345 registers.esi: 4243720 registers.ecx: 19524894	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 50 e9 f8 00 00 00 81 c3 fe 9d ff e7 29 d9 5b exception.symbol: amadka+0x27f54b exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2618699 exception.address: 0x129f54b registers.esp: 3341584 registers.edi: 0 registers.eax: 26561 registers.ebp: 4007374868 registers.edx: 11 registers.ebx: 19496345 registers.esi: 4243720 registers.ecx: 19551455	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 52 e9 29 00 00 00 81 c2 a9 78 fd 76 42 81 c2 exception.symbol: amadka+0x27ee00 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2616832 exception.address: 0x129ee00 registers.esp: 3341584 registers.edi: 0 registers.eax: 12642640 registers.ebp: 4007374868 registers.edx: 11 registers.ebx: 19496345 registers.esi: 0 registers.ecx: 19528127	1
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 c7 04 24 71 e2 5d 4b 68 ef exception.symbol: amadka+0x289d79 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2661753 exception.address: 0x12a9d79 registers.esp: 3341584 registers.edi: 4007374868 registers.eax: 2298801283 registers.ebp: 4007374868 registers.edx: 4294937512 registers.ebx: 4026251895 registers.esi: 19600799 registers.ecx: 2134376448	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://77.91.77.82/Hun4Ko/index.php

Performs some HTTP requests (1 event)

request

POST http://77.91.77.82/Hun4Ko/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://77.91.77.82/Hun4Ko/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 60 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 6:55 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2024, 7:01 p.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorti.exe tried to sleep 1138 seconds, actually delayed analysis time by 1138 seconds

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 7, 2024, 7:01 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\ad40971b6b\explorti.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.9784447306887225, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97844473069

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a2000', u'virtual_address': u'0x00315000', u'entropy': 7.953095710148307, u'name': u'ardsdpuc', u'virtual_size': u'0x001a2000'}

entropy

7.95309571015

description

A section with a high entropy has been found

entropy

0.994105037513

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	77.91.77.81
host	77.91.77.82

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 355 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 7, 2024, 7:01 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\explorti.job

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 7, 2024, 7:01 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 0c exception.symbol: amadka+0x1f55f7 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2053623 exception.address: 0x12155f7 registers.esp: 3341616 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4007374868 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18956855 registers.ecx: 20	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

77.91.77.81:80

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Themida.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Generic
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKDZ.107549
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107549
Sangfor	Trojan.Win32.Themida.Vfsb
K7AntiVirus	Trojan ( 00587f0f1 )
BitDefender	Trojan.GenericKDZ.107549
K7GW	Trojan ( 00587f0f1 )
Arcabit	Trojan.Generic.D1A41D
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Packed:Win32/Themida.f19f8ce4
MicroWorld-eScan	Trojan.GenericKDZ.107549
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Trojan.GenericKDZ.107549 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.MulDrop27.61761
TrendMicro	TrojanSpy.Win32.STEALC.YXEGEZ
McAfeeD	Real Protect-LS!29AF55C68D51
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.29af55c68d51c9ef
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Themida
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=80)
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Win32.Amadey.tr
Microsoft	Trojan:Win32/Multiverze
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKDZ.107549
Varist	W32/ABTrojan.OJHP-4528
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36808.0DWaaWPmUyji
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Panda	Trj/CI.A
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXEGEZ
Tencent	Trojan-DL.Win32.Deyma.kh

amadka.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All