Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 28, 2021, 1:33 p.m.	July 28, 2021, 1:35 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b16a969889a73f13d88f215ad5ce6931`
SHA256	`670bf2bad23645b731a67e3299f4f1692da3bdaa711c588b17024ed916e55438`
CRC32	`835C6912`
ssdeep	`24576:9LgLbWbzN9zjAHe+SLPFXob5BF1LwzZnFiYWr9DX0f1Bolzw:ZUCPN1E++EaFBwNF+9DEdBMw`
Yara	IsPE32 - (no description) Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature NPKI_Zero - File included NPKI

k.exe "C:\Users\test22\AppData\Local\Temp\k.exe"
1440
- kavachv3.exe "C:\Users\test22\AppData\Roaming\kavachv3.exe"
  1612
  - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Roaming\kavachv3.exe" "kavachv3.exe" ENABLE
    264

Name	Response	Post-Analysis Lookup
kavachhost.ddns.net	A 161.97.164.143	161.97.164.143

IP Address	Status	Action
161.97.164.143	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:57684 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 28, 2021, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 28, 2021, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2021, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2021, 1:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2021, 1:33 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 28, 2021, 1:33 p.m.			0	0
IsDebuggerPresent July 28, 2021, 1:33 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA July 28, 2021, 1:33 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA July 28, 2021, 1:33 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 61 events)

Time & API	Arguments	Status
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374184 registers.edi: 17989872 registers.eax: 0 registers.ebp: 1374212 registers.edx: 2 registers.ebx: 711990620 registers.esi: 15466496 registers.ecx: 10696564	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374184 registers.edi: 1374184 registers.eax: 0 registers.ebp: 1374212 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374220	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374184 registers.edi: 1374184 registers.eax: 0 registers.ebp: 1374212 registers.edx: 0 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374220	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374184 registers.edi: 1374184 registers.eax: 0 registers.ebp: 1374212 registers.edx: 0 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374220	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374184 registers.edi: 1374184 registers.eax: 0 registers.ebp: 1374212 registers.edx: 0 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374220	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1b9184 @ 0x1039184 k+0x1bbbf2 @ 0x103bbf2 k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374184 registers.edi: 1374184 registers.eax: 0 registers.ebp: 1374212 registers.edx: 0 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374220	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c1ecd @ 0x1041ecd k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 16781808 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 11272192 registers.esi: 15466496 registers.ecx: 15466496	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c1ecd @ 0x1041ecd k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 16781808 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 11272192 registers.esi: 15466496 registers.ecx: 0	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c219b @ 0x104219b k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c232f @ 0x104232f k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 16781808 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 11272192 registers.esi: 15466496 registers.ecx: 1374140	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c232f @ 0x104232f k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 16781808 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 11272192 registers.esi: 15466496 registers.ecx: 0	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2526 @ 0x1042526 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb2d5 exception.instruction: div eax exception.module: k.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xf7b2d5 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 0 registers.ebx: 16233195 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2637 @ 0x1042637 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 16781808 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 11272192 registers.esi: 15466496 registers.ecx: 1320987	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2637 @ 0x1042637 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2637 @ 0x1042637 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: k+0x1c2637 @ 0x1042637 k+0x1bbc0a @ 0x103bc0a k+0x2a7100 @ 0x1127100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: k+0xfb300 exception.instruction: ud2 exception.module: k.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xf7b300 registers.esp: 1374112 registers.edi: 1374112 registers.eax: 0 registers.ebp: 1374140 registers.edx: 2 registers.ebx: 16233238 registers.esi: 0 registers.ecx: 1374148	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: 0x3840285 0x3840090 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73da1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73db8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73dc6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73dc6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73dc6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73e66a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73e669ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73e66eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73e670b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73e66fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7495f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74a57f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74a54de3 0xffffffff exception.instruction_r: 39 09 e8 db 43 45 6f 8b c8 e8 94 48 5f 70 8b f0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3840462 registers.esp: 1371184 registers.edi: 69629344 registers.eax: 69603736 registers.ebp: 1371220 registers.edx: 69629344 registers.ebx: 69629828 registers.esi: 0 registers.ecx: 0	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554128 registers.edi: 13074672 registers.eax: 0 registers.ebp: 2554156 registers.edx: 2 registers.ebx: 711990620 registers.esi: 10551296 registers.ecx: 36386688	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554128 registers.edi: 2554128 registers.eax: 0 registers.ebp: 2554156 registers.edx: 2 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554164	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554128 registers.edi: 2554128 registers.eax: 0 registers.ebp: 2554156 registers.edx: 2 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554164	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554128 registers.edi: 2554128 registers.eax: 0 registers.ebp: 2554156 registers.edx: 2 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554164	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554128 registers.edi: 2554128 registers.eax: 0 registers.ebp: 2554156 registers.edx: 2 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554164	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1b9184 @ 0xb89184 kavachv3+0x1bbbf2 @ 0xb8bbf2 kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554128 registers.edi: 2554128 registers.eax: 0 registers.ebp: 2554156 registers.edx: 0 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554164	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c1ecd @ 0xb91ecd kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 11866608 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 6356992 registers.esi: 10551296 registers.ecx: 10551296	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c1ecd @ 0xb91ecd kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c1ecd @ 0xb91ecd kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c1ecd @ 0xb91ecd kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 11866608 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 6356992 registers.esi: 10551296 registers.ecx: 0	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11318038 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c219b @ 0xb9219b kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c232f @ 0xb9232f kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 11866608 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 6356992 registers.esi: 10551296 registers.ecx: 2554084	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c2526 @ 0xb92526 kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 11866608 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 6356992 registers.esi: 10551296 registers.ecx: 2618672662	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c2526 @ 0xb92526 kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c2526 @ 0xb92526 kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb2d5 exception.instruction: div eax exception.module: kavachv3.exe exception.exception_code: 0xc0000094 exception.offset: 1028821 exception.address: 0xacb2d5 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 0 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1
__exception__ July 28, 2021, 1:33 p.m.	stacktrace: kavachv3+0x1c2526 @ 0xb92526 kavachv3+0x1bbc0a @ 0xb8bc0a kavachv3+0x2a7100 @ 0xc77100 exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: kavachv3+0xfb300 exception.instruction: ud2 exception.module: kavachv3.exe exception.exception_code: 0xc000001d exception.offset: 1028864 exception.address: 0xacb300 registers.esp: 2554056 registers.edi: 2554056 registers.eax: 0 registers.ebp: 2554084 registers.edx: 2 registers.ebx: 11317995 registers.esi: 0 registers.ecx: 2554092	1

Connects to a Dynamic DNS Domain (1 event)

domain

kavachhost.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e80000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0364a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0378b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0365c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0367a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0366a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0364b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0365a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02284000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02294000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02294000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2021, 1:33 p.m.	process_identifier: 1612 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\kavachv3.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\kavachv3.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\kavachv3.exe

Executes one or more WMI queries (1 event)

wmi	select * from Win32_OperatingSystem

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00003600', u'virtual_address': u'0x00002000', u'entropy': 7.97961163463449, u'name': u'', u'virtual_size': u'0x00008000'}

entropy

7.97961163463

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002ba00', u'virtual_address': u'0x00040000', u'entropy': 7.99804027565364, u'name': u'', u'virtual_size': u'0x00280000'}

entropy

7.99804027565

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000e2c00', u'virtual_address': u'0x002c0000', u'entropy': 7.976883087883038, u'name': u'.data', u'virtual_size': u'0x000e4000'}

entropy

7.97688308788

description

A section with a high entropy has been found

entropy

0.913261050876

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 28, 2021, 1:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh firewall add allowedprogram "C:\Users\test22\AppData\Roaming\kavachv3.exe" "kavachv3.exe" ENABLE

A process attempted to delay the analysis task. (1 event)

description

kavachv3.exe tried to sleep 1615 seconds, actually delayed analysis time by 1615 seconds

Installs itself for autorun at Windows startup (28 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f8fe86a839f2d7d2fa2c7e659d21c4e5	reg_value	"C:\Users\test22\AppData\Roaming\kavachv3.exe" ..

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Packer.Enigma.1
FireEye	Generic.mg.b16a969889a73f13
CAT-QuickHeal	Trojan.Generic
Cylance	Unsafe
Zillya	Trojan.Generic.Win32.1415659
Sangfor	Trojan.Win32.Generic.ky
K7AntiVirus	Trojan ( 004befdb1 )
Alibaba	Trojan:Win32/Tiggre.72a47065
K7GW	Trojan ( 004befdb1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Gen:Packer.Enigma.1
Cyren	W32/Trojan.QVHL-7736
ESET-NOD32	a variant of Win32/Packed.EnigmaProtector.J suspicious
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Packer.Enigma.1
NANO-Antivirus	Trojan.Win32.Packer.ixeuzc
Tencent	Win32.Trojan.Generic.Pdcc
Ad-Aware	Gen:Packer.Enigma.1
TACHYON	Trojan/W32.Agent.1228800.EV
Sophos	Mal/Generic-S
Comodo	Malware@#3fizxrj8gaomi
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.VSNTG721
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Gen:Packer.Enigma.1 (B)
Ikarus	Trojan.Win32.Inject
Jiangmin	Trojan.Generic.gymmm
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1142956
eGambit	Unsafe.AI_Score_100%
Antiy-AVL	Trojan/Generic.ASBOL.C669
Microsoft	Trojan:Win32/Tiggre!rfn
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Packer.Enigma.1
Cynet	Malicious (score: 100)
McAfee	Artemis!B16A969889A7
MAX	malware (ai score=82)
VBA32	Trojan.Zpevdo
Malwarebytes	Backdoor.NJRat
Panda	Trj/CI.A
Zoner	Probably Heur.ExeHeaderH
TrendMicro-HouseCall	TROJ_FRS.VSNTG721
Rising	PUF.Pack-Enigma!1.BA33 (CLASSIC)
Yandex	Trojan.Agent!/5nOTv2oWeQ
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.7164915.susgen

k.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All