Summary

2aa2960252e67e3b_sys.exe

File 2aa2960252e67e3b_sys.exe

Summary
Download Resubmit sample

Size 137.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d80e79291bc1572a76383250adcb2201
SHA1 652181c6529667a88a5a4f3eda5a3f4830fe6608
SHA256 2aa2960252e67e3bbba3a4653b009507eeac119f8b6c064119402cd513d88e7b
SHA512
9ae76f0c1b5fbe590cdf0a9440fa31aecb07e1a24ce3336566352fd074869ab5c9e9e9c8e3913bd083ae25161bd51745f521f9f30829747869a1d06988c29ac9
CRC32 EBED6D4D
ssdeep None
Yara
  • SEH__vba - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6570726

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 25, 2025, 12:49 p.m. June 25, 2025, 12:57 p.m. 533 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-21 12:40:08,015 [analyzer] DEBUG: Starting analyzer from: C:\tmphzbxu3
2025-06-21 12:40:08,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\yyIimApvlYlgIfUzxQdC
2025-06-21 12:40:08,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\mvmGmUEzZNPUmDTHaJrO
2025-06-21 12:40:08,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-06-21 12:40:08,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-06-21 12:40:08,312 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-21 12:40:08,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-21 12:40:08,796 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-21 12:40:09,000 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-06-21 12:40:09,000 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-21 12:40:09,000 [analyzer] DEBUG: Started auxiliary module Human
2025-06-21 12:40:09,000 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-21 12:40:09,000 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-21 12:40:09,092 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-21 12:40:09,092 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-21 12:40:09,092 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-21 12:40:09,092 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-21 12:40:09,250 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2aa2960252e67e3b_sys.exe' with arguments '' and pid 2684
2025-06-21 12:40:09,546 [analyzer] DEBUG: Loaded monitor into process with pid 2684
2025-06-21 12:40:09,733 [analyzer] INFO: Injected into process with pid 2468 and name u'taskkill.exe'
2025-06-21 12:40:09,733 [analyzer] INFO: Added new file to list with pid 2684 and path C:\sys.exe
2025-06-21 12:40:09,750 [analyzer] INFO: Added new file to list with pid 2684 and path C:\Windows\sys.exe
2025-06-21 12:40:09,921 [analyzer] INFO: Injected into process with pid 2920 and name u'sys.exe'
2025-06-21 12:40:09,967 [analyzer] DEBUG: Loaded monitor into process with pid 2468
2025-06-21 12:40:09,983 [analyzer] INFO: Injected into process with pid 3056 and name u'cmd.exe'
2025-06-21 12:40:10,078 [analyzer] DEBUG: Loaded monitor into process with pid 2920
2025-06-21 12:43:28,250 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-21 12:43:29,717 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-21 12:43:29,717 [lib.api.process] INFO: Successfully terminated process with pid 2920.
2025-06-21 12:43:29,717 [lib.api.process] INFO: Successfully terminated process with pid 3056.
2025-06-21 12:43:29,750 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-25 12:49:04,197 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:05,225 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:06,251 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:07,284 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:08,312 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:09,339 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:10,369 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:11,421 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:12,443 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:13,522 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:14,627 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:15,711 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:16,799 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:17,879 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:18,952 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:19,999 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:21,055 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:22,103 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:23,145 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:24,180 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:25,206 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:26,226 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:27,244 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:28,263 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:29,285 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:30,302 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:31,644 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:32,815 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:33,966 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:35,121 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:36,257 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:37,573 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:38,906 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:40,191 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:41,284 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:42,389 [cuckoo.core.scheduler] DEBUG: Task #6588613: no machine available yet
2025-06-25 12:49:43,808 [cuckoo.core.scheduler] INFO: Task #6588613: acquired machine win7x6425 (label=win7x6425)
2025-06-25 12:49:43,814 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.225 for task #6588613
2025-06-25 12:49:44,353 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3988451 (interface=vboxnet0, host=192.168.168.225)
2025-06-25 12:49:45,114 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6425
2025-06-25 12:49:45,647 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6425 to vmcloak
2025-06-25 12:51:58,307 [cuckoo.core.guest] INFO: Starting analysis #6588613 on guest (id=win7x6425, ip=192.168.168.225)
2025-06-25 12:51:59,369 [cuckoo.core.guest] DEBUG: win7x6425: not ready yet
2025-06-25 12:52:04,458 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6425, ip=192.168.168.225)
2025-06-25 12:52:04,568 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6425, ip=192.168.168.225, monitor=latest, size=6660546)
2025-06-25 12:52:06,102 [cuckoo.core.resultserver] DEBUG: Task #6588613: live log analysis.log initialized.
2025-06-25 12:52:07,038 [cuckoo.core.resultserver] DEBUG: Task #6588613 is sending a BSON stream
2025-06-25 12:52:07,564 [cuckoo.core.resultserver] DEBUG: Task #6588613 is sending a BSON stream
2025-06-25 12:52:07,991 [cuckoo.core.resultserver] DEBUG: Task #6588613 is sending a BSON stream
2025-06-25 12:52:08,100 [cuckoo.core.resultserver] DEBUG: Task #6588613 is sending a BSON stream
2025-06-25 12:52:08,124 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'files/15fbe30a2bb6e433_~DF0B7FDF8CE48281E7.TMP'
2025-06-25 12:52:08,128 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 25686
2025-06-25 12:52:08,234 [cuckoo.core.resultserver] DEBUG: Task #6588613 is sending a BSON stream
2025-06-25 12:52:08,318 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'shots/0001.jpg'
2025-06-25 12:52:08,339 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 133522
2025-06-25 12:52:20,755 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:52:35,890 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:52:50,980 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:53:06,233 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:53:21,545 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:53:36,931 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:53:52,089 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:54:07,184 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:54:22,338 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:54:37,453 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:54:52,579 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:55:07,723 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:55:22,845 [cuckoo.core.guest] DEBUG: win7x6425: analysis #6588613 still processing
2025-06-25 12:55:26,458 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'curtain/1750502608.34.curtain.log'
2025-06-25 12:55:26,461 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 36
2025-06-25 12:55:27,610 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'sysmon/1750502609.45.sysmon.xml'
2025-06-25 12:55:27,880 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 14968048
2025-06-25 12:55:27,911 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'files/b035dc93563ab985_sys.exe'
2025-06-25 12:55:27,914 [cuckoo.core.resultserver] DEBUG: Task #6588613: File upload for 'files/a9aabf01a65bf1cd_sys.exe'
2025-06-25 12:55:27,918 [cuckoo.core.resultserver] DEBUG: Task #6588613 had connection reset for <Context for LOG>
2025-06-25 12:55:27,922 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 140723
2025-06-25 12:55:27,924 [cuckoo.core.resultserver] DEBUG: Task #6588613 uploaded file length: 140723
2025-06-25 12:55:28,878 [cuckoo.core.guest] INFO: win7x6425: analysis completed successfully
2025-06-25 12:55:28,890 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-25 12:55:28,923 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-25 12:55:29,953 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6425 to path /srv/cuckoo/cwd/storage/analyses/6588613/memory.dmp
2025-06-25 12:55:29,954 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6425
2025-06-25 12:57:56,643 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.225 for task #6588613
2025-06-25 12:57:57,544 [cuckoo.core.scheduler] DEBUG: Released database task #6588613
2025-06-25 12:57:57,563 [cuckoo.core.scheduler] INFO: Task #6588613: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description (no description) rule SEH__vba
Command line console output was observed (1 event)
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR: The process "KSafeTray.exe" not found.
console_handle: 0x0000000b
1 1 0
One or more processes crashed (3 events)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x76e5c41f
registers.esp: 1635416
registers.edi: 3215184
registers.eax: 1635416
registers.ebp: 1635496
registers.edx: 0
registers.ebx: 3215184
registers.esi: 3215184
registers.ecx: 2
1 0 0

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x76e5c41f
registers.esp: 1634856
registers.edi: 5391416
registers.eax: 1634856
registers.ebp: 1634936
registers.edx: 0
registers.ebx: 5391416
registers.esi: 5391416
registers.ecx: 2
1 0 0

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x76e5c41f
registers.esp: 1635072
registers.edi: 5391416
registers.eax: 1635072
registers.ebp: 1635152
registers.edx: 0
registers.ebx: 5391416
registers.esi: 5391416
registers.ecx: 2
1 0 0
Foreign language identified in PE resource (1 event)
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0001b1e0 size 0x00000220
Creates executable files on the filesystem (2 events)
file c:\sys.exe
file C:\Windows\sys.exe
Executes one or more WMI queries (1 event)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "KSafeTray.exe")
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000f8
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: wininit.exe
process_identifier: 388
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: csrss.exe
process_identifier: 408
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: winlogon.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: services.exe
process_identifier: 492
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: lsass.exe
process_identifier: 500
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: lsm.exe
process_identifier: 508
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 688
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 760
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 908
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: spoolsv.exe
process_identifier: 1056
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: sysmon.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: dwm.exe
process_identifier: 1572
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: taskhost.exe
process_identifier: 1596
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: explorer.exe
process_identifier: 1696
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: unsecapp.exe
process_identifier: 1744
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 1980
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: pythonw.exe
process_identifier: 880
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: WmiPrvSE.exe
process_identifier: 2088
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: SearchIndexer.exe
process_identifier: 2236
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: OSPPSVC.EXE
process_identifier: 3032
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: svchost.exe
process_identifier: 1120
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: mscorsvw.exe
process_identifier: 2540
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: mscorsvw.exe
process_identifier: 2608
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: sppsvc.exe
process_identifier: 2668
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: WmiPrvSE.exe
process_identifier: 944
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: mobsync.exe
process_identifier: 2680
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: pythonw.exe
process_identifier: 3060
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: taskhost.exe
process_identifier: 220
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: SearchProtocolHost.exe
process_identifier: 2388
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: SearchFilterHost.exe
process_identifier: 2888
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: sys.exe
process_identifier: 2920
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: cmd.exe
process_identifier: 3056
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: conhost.exe
process_identifier: 2348
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: taskkill.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: conhost.exe
process_identifier: 2476
1 1 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x004d0000
process_handle: 0xffffffff
1 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Uses Windows utilities for basic Windows functionality (2 events)
cmdline taskkill.exe /im KSafeTray.exe /f
cmdline cmd /c del 2aa2960252e67e3b_sys.exe
File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)
G Data Antivirus (Windows) Virus: Generic.Dacic.76A3436A.A.D03FD49E (Engine A), Win32.Trojan.PSE.12470O7 (Engine B)
Avast Core Security (Linux) Win32:MalwareX-gen [Drp]
C4S ClamAV (Linux) Win.Malware.Cyns-7782618-0
Trellix (Linux) GenericRXAE-GJ
WithSecure (Linux) Trojan.TR/Dropper.Gen
eScan Antivirus (Linux) Generic.Dacic.76A3436A.A.D03FD49E(DB)
ESET Security (Windows) Win32/VB.PRB trojan
Sophos Anti-Virus (Linux) Mal/VB-WA
DrWeb Antivirus (Linux) Trojan.Click1.60752
ClamAV (Linux) Win.Malware.Cyns-7782618-0
Bitdefender Antivirus (Linux) Generic.Dacic.76A3436A.A.D03FD49E
Kaspersky Standard (Windows) Trojan-Dropper.Win32.Cyns.a
Emsisoft Commandline Scanner (Windows) Generic.Dacic.76A3436A.A.D03FD49E (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.