win32.exe

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:58 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 9:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.formula-kuhni.com/hx3a/?kfL4bD=caEAE6TMNpstNWNzBS8nf+GDaIfP+W5I+AjwjXTPkb+IEfM7tlcs+MNsJ0nLlfwLg5GA5aWf&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.freeworldsin.com/hx3a/?kfL4bD=3DLg49gztkEwDEpIhVA6GAYr4+4EzSmtPlay4vrQXwYdcq0BUm/96tiO2YO0ZgN2rKAOBP6W&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.stkify.com/hx3a/?kfL4bD=BjXYzYy3Wwi6aFrEgM1HjT0aBbEvvpOSUIS/nNRAIJdaTtvHKKMsj+M6Q3I+cHJNNRrjAE2C&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.aksharnewtown.com/hx3a/?kfL4bD=UKCdSLR8412vaMHIP2MhlUsk7yfSGMFZEuzAx2SZAjE0ZNyfcYSEyp6nktJEVuEc4C6Qs51w&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.roughcuttavernorder.com/hx3a/?kfL4bD=SZwlqd8Hzn3rpaEWsCajdeS5oRp1CcdbOIkzozoaJWcxcB0oMm0zINyb01h8HBqPBgXJWi1M&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.recovatek.com/hx3a/?kfL4bD=fCmUcBRjRsJN2niul11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy4j4Y+fYFi5gkgSESZTn&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.sellingdealsinheels.com/hx3a/?kfL4bD=ZQONasgLaIqJtl+Y9ynHdAMgHGG3yPHQMSSB3SdTownDFaJtrUUp853ISMl3zW6kC1fHv0WQ&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.bookbeachchairs.com/hx3a/?kfL4bD=EBC1Cs7uqSFNwkQnGgLKPc+2rIVZ9PU/AWUwkk97HGSV6MybJ9/jFS+r7M72vm+mHjcr9wDF&jBZx=D8b0b
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.sxqyws.net/hx3a/?kfL4bD=T9MXgcgL1KL8QuajaJKCENDo6nNTCJSWQpkqYg4zOpZsIFxlmDBTIA+IF+ioP0h6JnMBeNuT&jBZx=D8b0b

Performs some HTTP requests (18 events)

request	POST http://www.formula-kuhni.com/hx3a/
request	GET http://www.formula-kuhni.com/hx3a/?kfL4bD=caEAE6TMNpstNWNzBS8nf+GDaIfP+W5I+AjwjXTPkb+IEfM7tlcs+MNsJ0nLlfwLg5GA5aWf&jBZx=D8b0b
request	POST http://www.freeworldsin.com/hx3a/
request	GET http://www.freeworldsin.com/hx3a/?kfL4bD=3DLg49gztkEwDEpIhVA6GAYr4+4EzSmtPlay4vrQXwYdcq0BUm/96tiO2YO0ZgN2rKAOBP6W&jBZx=D8b0b
request	POST http://www.stkify.com/hx3a/
request	GET http://www.stkify.com/hx3a/?kfL4bD=BjXYzYy3Wwi6aFrEgM1HjT0aBbEvvpOSUIS/nNRAIJdaTtvHKKMsj+M6Q3I+cHJNNRrjAE2C&jBZx=D8b0b
request	POST http://www.aksharnewtown.com/hx3a/
request	GET http://www.aksharnewtown.com/hx3a/?kfL4bD=UKCdSLR8412vaMHIP2MhlUsk7yfSGMFZEuzAx2SZAjE0ZNyfcYSEyp6nktJEVuEc4C6Qs51w&jBZx=D8b0b
request	POST http://www.roughcuttavernorder.com/hx3a/
request	GET http://www.roughcuttavernorder.com/hx3a/?kfL4bD=SZwlqd8Hzn3rpaEWsCajdeS5oRp1CcdbOIkzozoaJWcxcB0oMm0zINyb01h8HBqPBgXJWi1M&jBZx=D8b0b
request	POST http://www.recovatek.com/hx3a/
request	GET http://www.recovatek.com/hx3a/?kfL4bD=fCmUcBRjRsJN2niul11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy4j4Y+fYFi5gkgSESZTn&jBZx=D8b0b
request	POST http://www.sellingdealsinheels.com/hx3a/
request	GET http://www.sellingdealsinheels.com/hx3a/?kfL4bD=ZQONasgLaIqJtl+Y9ynHdAMgHGG3yPHQMSSB3SdTownDFaJtrUUp853ISMl3zW6kC1fHv0WQ&jBZx=D8b0b
request	POST http://www.bookbeachchairs.com/hx3a/
request	GET http://www.bookbeachchairs.com/hx3a/?kfL4bD=EBC1Cs7uqSFNwkQnGgLKPc+2rIVZ9PU/AWUwkk97HGSV6MybJ9/jFS+r7M72vm+mHjcr9wDF&jBZx=D8b0b
request	POST http://www.sxqyws.net/hx3a/
request	GET http://www.sxqyws.net/hx3a/?kfL4bD=T9MXgcgL1KL8QuajaJKCENDo6nNTCJSWQpkqYg4zOpZsIFxlmDBTIA+IF+ioP0h6JnMBeNuT&jBZx=D8b0b

Sends data using the HTTP POST Method (9 events)

request	POST http://www.formula-kuhni.com/hx3a/
request	POST http://www.freeworldsin.com/hx3a/
request	POST http://www.stkify.com/hx3a/
request	POST http://www.aksharnewtown.com/hx3a/
request	POST http://www.roughcuttavernorder.com/hx3a/
request	POST http://www.recovatek.com/hx3a/
request	POST http://www.sellingdealsinheels.com/hx3a/
request	POST http://www.bookbeachchairs.com/hx3a/
request	POST http://www.sxqyws.net/hx3a/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 13, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:58 a.m.	process_identifier: 4208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 13, 2021, 9:58 a.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d00000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 13, 2021, 9:58 a.m.	process_identifier: 5192 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nse53.tmp\h336ss.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nse53.tmp\h336ss.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 13, 2021, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	59.18.44.14

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 4208 called NtSetContextThread to modify thread in remote process 5192
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread April 13, 2021, 9:58 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 5192	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

MicroWorld-eScan	Gen:Variant.Jaik.45088
FireEye	Generic.mg.b2e46b8ad3081ee9
McAfee	Artemis!B2E46B8AD308
Cybereason	malicious.fb1209
Cyren	W32/Injector.AGZ.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.EPCK
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Gen:Variant.Jaik.45088
Ad-Aware	Gen:Variant.Jaik.45088
Emsisoft	Gen:Variant.Jaik.45088 (B)
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=85)
Microsoft	Program:Win32/Wacapew.C!ml
GData	Gen:Variant.Jaik.45088
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZedlaF.34670.au4@a0Gz9mai
ALYac	Gen:Variant.Jaik.45088
Ikarus	Trojan.NSIS.Agent
Fortinet	W32/Injector.EPAI!tr
Qihoo-360	QVM42.0.Malware.Gen