Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 30, 2021, 6:18 p.m.	Nov. 30, 2021, 6:30 p.m.

Size	5.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`00921a778d899c9ff624cc92baee312f`
SHA256	`9964072a63968add45fcf9b9ca48c5d752415accd20e03286346ed6796bd5ddd`
CRC32	`2B45E00A`
ssdeep	`98304:6ZwSPSbT55jXH620XkxQExQcQQC8F7el2W9Z+EcNomKjRG89HyEY5UQBSGNuejiu:6BPSH/jBQk+yQcd/e2k+EoKjRTV45GL6`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

xystum.exe "C:\Users\test22\AppData\Local\Temp\xystum.exe"
2788
- affluxvp.exe "C:\Users\test22\AppData\Local\Temp\ateles\affluxvp.exe"
  2908
- werfel.exe "C:\Users\test22\AppData\Local\Temp\ateles\werfel.exe"
  2948
  - DpEditor.exe "C:\Users\test22\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
    3056

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 30, 2021, 6:18 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: affluxvp+0x34c403 @ 0x151c403 affluxvp+0x2f8d5d @ 0x14c8d5d exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 3340852 registers.edi: 18845696 registers.eax: 3340852 registers.ebp: 3340932 registers.edx: 2130566132 registers.ebx: 1992228838 registers.esi: 2003530795 registers.ecx: 1916469248	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 fa 16 13 00 00 00 45 00 67 2f f3 4e d6 0d exception.symbol: affluxvp+0x2a670a exception.instruction: in eax, dx exception.module: affluxvp.exe exception.exception_code: 0xc0000096 exception.offset: 2778890 exception.address: 0x147670a registers.esp: 3340972 registers.edi: 3943864 registers.eax: 1750617430 registers.ebp: 18845696 registers.edx: 22614 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 53 c2 01 00 c3 e9 7d 64 fb ff ce ad 52 b2 exception.symbol: affluxvp+0x3b7c00 exception.instruction: in eax, dx exception.module: affluxvp.exe exception.exception_code: 0xc0000096 exception.offset: 3898368 exception.address: 0x1587c00 registers.esp: 3340972 registers.edi: 3943864 registers.eax: 1447909480 registers.ebp: 18845696 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: werfel+0x29410a @ 0x35410a werfel+0x3b0791 @ 0x470791 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 12779252 registers.edi: 1089536 registers.eax: 12779252 registers.ebp: 12779332 registers.edx: 2130566132 registers.ebx: 1992228838 registers.esi: 2003530795 registers.ecx: 1925709824	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 12 b3 0a 00 c3 e9 fc b2 0a 00 43 51 55 00 exception.symbol: werfel+0x346df1 exception.instruction: in eax, dx exception.module: werfel.exe exception.exception_code: 0xc0000096 exception.offset: 3436017 exception.address: 0x406df1 registers.esp: 12779372 registers.edi: 17378726 registers.eax: 1750617430 registers.ebp: 1089536 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 2204245 registers.ecx: 20	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 19 f4 01 00 8b 5c 24 0c e9 1c f4 01 00 75 exception.symbol: werfel+0x3d88ff exception.instruction: in eax, dx exception.module: werfel.exe exception.exception_code: 0xc0000096 exception.offset: 4032767 exception.address: 0x4988ff registers.esp: 12779372 registers.edi: 17378726 registers.eax: 1447909480 registers.ebp: 1089536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2204245 registers.ecx: 10	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: dpeditor+0x29410a @ 0x15f410a dpeditor+0x3b0791 @ 0x1710791 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 3865132 registers.edi: 20619264 registers.eax: 3865132 registers.ebp: 3865212 registers.edx: 2130566132 registers.ebx: 1992228838 registers.esi: 2003530795 registers.ecx: 2639200256	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 12 b3 0a 00 c3 e9 fc b2 0a 00 43 51 55 00 exception.symbol: dpeditor+0x346df1 exception.instruction: in eax, dx exception.module: DpEditor.exe exception.exception_code: 0xc0000096 exception.offset: 3436017 exception.address: 0x16a6df1 registers.esp: 3865252 registers.edi: 3944051 registers.eax: 1750617430 registers.ebp: 20619264 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 21733973 registers.ecx: 20	1
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 19 f4 01 00 8b 5c 24 0c e9 1c f4 01 00 75 exception.symbol: dpeditor+0x3d88ff exception.instruction: in eax, dx exception.module: DpEditor.exe exception.exception_code: 0xc0000096 exception.offset: 4032767 exception.address: 0x17388ff registers.esp: 3865252 registers.edi: 3944051 registers.eax: 1447909480 registers.ebp: 20619264 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 21733973 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x776df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0139f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 30, 2021, 6:18 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b92000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\ateles\affluxvp.exe
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\nskE223.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Local\Temp\ateles\werfel.exe
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nskE223.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\ateles\werfel.exe
file	C:\Users\test22\AppData\Local\Temp\ateles\affluxvp.exe

Expresses interest in specific running processes (1 event)

process

system

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks for the presence of known windows from debuggers and forensic tools (50 out of 186 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 30, 2021, 6:18 p.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 30, 2021, 6:18 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 30, 2021, 6:18 p.m.	stacktrace: exception.instruction_r: ed e9 53 c2 01 00 c3 e9 7d 64 fb ff ce ad 52 b2 exception.symbol: affluxvp+0x3b7c00 exception.instruction: in eax, dx exception.module: affluxvp.exe exception.exception_code: 0xc0000096 exception.offset: 3898368 exception.address: 0x1587c00 registers.esp: 3340972 registers.edi: 3943864 registers.eax: 1447909480 registers.ebp: 18845696 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.28574
McAfee	Artemis!00921A778D89
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00581cd31 )
K7GW	Trojan ( 00581cd31 )
CrowdStrike	win/malicious_confidence_70% (W)
Arcabit	Trojan.Doina.D6F9E
Cyren	W32/Kryptik.FHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	HEUR:Trojan.Win32.SelfDel.pef
BitDefender	Gen:Variant.Doina.28574
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:CrypterX-gen [Trj]
Rising	Trojan.Generic@ML.100 (RDML:c/KSHr22RQCd/fMBMxuvPg)
Ad-Aware	Gen:Variant.Doina.28574
Sophos	Mal/Generic-S
Zillya	Trojan.Coins.Win32.6074
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
FireEye	Generic.mg.00921a778d899c9f
Emsisoft	Gen:Variant.Doina.28574 (B)
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1140896
Kingsoft	Win32.Troj.Banker.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.BSE.HLJWVB
Cynet	Malicious (score: 100)
BitDefenderTheta	AI:Packer.C2BF11631E
ALYac	Gen:Variant.Doina.28574
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Sabsik.FL
Malwarebytes	Trojan.Dropper
Tencent	Win32.Trojan.Multiple.Dks
eGambit	Unsafe.AI_Score_99%
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.78d899
Panda	Trj/CI.A

xystum.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All