Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 11, 2021, 5:42 p.m.	Aug. 11, 2021, 5:54 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c2c05cd6cacb0f2fc7ef5c883294c88c`
SHA256	`46ba1967983d6f567a10712f1814d4cad0af421aeb1c25a943a7ceb4d1195037`
CRC32	`35303222`
ssdeep	`49152:akQTAcFdGlHVoN1QxECXsgrVJZ4Uy7GQe8v51637ORB+G9bmp:aacFdGCcxEaPZY7GQTv5GORVmp`
PDB Path
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UltraVNC_Zero - UltraVNC

wpbot.exe "C:\Users\test22\AppData\Local\Temp\wpbot.exe"
560

Name	Response	Post-Analysis Lookup
baytarsenal.tk	A 145.14.144.92	145.14.144.63

IP Address	Status	Action
145.14.144.92	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52336 -> 8.8.8.8:53	2012811	ET DNS Query to a .tk domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.102:52336 -> 164.124.101.2:53	2012811	ET DNS Query to a .tk domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 145.14.144.92:80	2012810	ET POLICY HTTP Request to a *.tk domain	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 145.14.144.92:80	2031094	ET HUNTING Request to .TK Domain with Minimal Headers	Potentially Bad Traffic
TCP 145.14.144.92:80 -> 192.168.56.102:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 145.14.144.92:80 -> 192.168.56.102:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 11, 2021, 5:42 p.m.			0	0
IsDebuggerPresent Aug. 11, 2021, 5:42 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 11, 2021, 5:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072f2a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 11, 2021, 5:42 p.m.		1	1	0

One or more processes crashed (50 out of 484 events)

Time & API	Arguments	Status
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: wpbot+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4601476 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 12	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4603792 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15449	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4607888 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15417	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4611984 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15385	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4616080 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15353	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4620176 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15321	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4624272 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15289	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4628368 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15257	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4632464 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15225	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4636560 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15193	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4640656 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15161	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4644752 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15129	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4648848 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15097	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4652944 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15065	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4657040 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15033	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4661136 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 15001	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4665232 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14969	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4669328 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14937	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4673424 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14905	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4677520 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14873	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4681616 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14841	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4685712 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14809	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4689808 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14777	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4693904 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14745	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4698000 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14713	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4702096 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14681	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4706192 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14649	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4710288 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14617	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4714384 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14585	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4718480 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14553	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4722576 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14521	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4726672 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14489	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4730768 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14457	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4734864 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14425	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4738960 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14393	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4743056 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14361	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4747152 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14329	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4751248 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14297	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4755344 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14265	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4759440 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14233	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4763536 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14201	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4767632 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14169	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4771728 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14137	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4775824 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14105	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4779920 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14073	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4784016 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14041	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4788112 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 14009	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4792208 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 13977	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4796304 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 13945	1
__exception__ Aug. 11, 2021, 5:42 p.m.	stacktrace: wpbot+0xf054 @ 0x40f054 wpbot+0xf0a0 @ 0x40f0a0 wpbot+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 70 8d bf 80 00 00 00 49 75 d0 8b 7d exception.symbol: wpbot+0xf009 exception.address: 0x40f009 exception.module: wpbot.exe exception.exception_code: 0xc0000005 exception.offset: 61449 registers.esp: 1636940 registers.edi: 4800400 registers.eax: 4601488 registers.ebp: 1636944 registers.edx: 67 registers.ebx: 0 registers.esi: 34537504 registers.ecx: 13913	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Aug. 11, 2021, 5:42 p.m.	ip_address: 127.0.0.1 socket: 624 port: 0	1	0
listen Aug. 11, 2021, 5:42 p.m.	socket: 624 backlog: 2147483647	1	0
accept Aug. 11, 2021, 5:42 p.m.	ip_address: 127.0.0.1 socket: 624 port: 0		4294967295

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://baytarsenal.tk/ccdriver/chromedriver.exe

Performs some HTTP requests (1 event)

request

GET http://baytarsenal.tk/ccdriver/chromedriver.exe

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02853000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02854000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00977000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00975000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0295a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00966000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00967000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0295b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0295c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f5c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2021, 5:42 p.m.	process_identifier: 560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\chromedriver.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\chromedriver.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 11, 2021, 5:42 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00221e00', u'virtual_address': u'0x00026000', u'entropy': 7.939970938901227, u'name': u'.rsrc', u'virtual_size': u'0x00221c90'}

entropy

7.9399709389

description

A section with a high entropy has been found

entropy

0.941772697865

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 11, 2021, 5:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Connects to an IRC server, possibly part of a botnet

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 11, 2021, 5:42 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

wpbot.exe tried to sleep 2728223 seconds, actually delayed analysis time by 2728223 seconds

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37357593
FireEye	Generic.mg.c2c05cd6cacb0f2f
McAfee	Artemis!C2C05CD6CACB
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Generic.7ac9bb5e
Cybereason	malicious.08d016
Arcabit	Trojan.Generic.D23A0819
Cyren	W32/Agent.AIK.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.37357593
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan.Generic.Syrg
Ad-Aware	Trojan.GenericKD.37357593
Emsisoft	Trojan.GenericKD.37357593 (B)
TrendMicro	TROJ_GEN.R002C0WH821
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Sophos	Mal/Generic-R
Ikarus	Trojan.MSIL.Agent
eGambit	Unsafe.AI_Score_96%
Microsoft	Backdoor:Win32/Bladabindi!ml
GData	Trojan.GenericKD.37357593
Cynet	Malicious (score: 100)
VBA32	Trojan.Wacatac
ALYac	Trojan.GenericKD.37357593
MAX	malware (ai score=89)
TrendMicro-HouseCall	TROJ_GEN.R002C0WH821
Rising	Trojan.Generic@ML.95 (RDMK:LHDmBvvPk0SCbUPrsAK7iQ)
Yandex	Trojan.Agent!rDGEhkXCCXg
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34058.qs0@a0oWxCf
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

wpbot.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All