Windows Analysis Report
a.exe

Overview

General Information

Sample name: a.exe
Analysis ID: 1502377
MD5: e0edce3fd9e04c946b2f79fa39b5304f
SHA1: 02accb65a5defb459a922a756e8571b35fb27138
SHA256: 7ec33e949fe60ae7e6c6d086d35fe594f60e6eca8fb90ff8d5e010abee80f0ed
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: a.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted file
Source: a.exe ReversingLabs: Detection: 84%
Source: a.exe Virustotal: Detection: 76% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: a.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: 1D 00 00 00 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_004085D0 0_2_004085D0
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_004085D0 4_2_004085D0
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_004085D0 5_2_004085D0
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_004085D0 7_2_004085D0
PE file contains executable resources (Code or Archives)
Source: a.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WindowsService.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Uses 32bit PE files
Source: a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Source: classification engine Classification label: mal80.winEXE@11/3@0/0
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Roaming\SystemWindows\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Local\Temp\HMIIU.txt Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HMIIU.bat" "
Source: C:\Users\user\Desktop\a.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: a.exe ReversingLabs: Detection: 84%
Source: a.exe Virustotal: Detection: 76%
Source: C:\Users\user\Desktop\a.exe File read: C:\Users\user\Desktop\a.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\a.exe "C:\Users\user\Desktop\a.exe"
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HMIIU.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HMIIU.bat" " Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401BC4 push 00401100h; ret 0_2_00401BD7
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401A88 push 00401100h; ret 0_2_00401B87
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401B88 push 00401100h; ret 0_2_00401B9B
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401B9C push 00401100h; ret 0_2_00401BAF
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401BB0 push 00401100h; ret 0_2_00401BC3
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_00401BC4 push 00401100h; ret 4_2_00401BD7
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_00401A88 push 00401100h; ret 4_2_00401B87
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_00401B88 push 00401100h; ret 4_2_00401B9B
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_00401B9C push 00401100h; ret 4_2_00401BAF
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 4_2_00401BB0 push 00401100h; ret 4_2_00401BC3
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_00401BC4 push 00401100h; ret 5_2_00401BD7
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_00401A88 push 00401100h; ret 5_2_00401B87
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_00401B88 push 00401100h; ret 5_2_00401B9B
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_00401B9C push 00401100h; ret 5_2_00401BAF
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 5_2_00401BB0 push 00401100h; ret 5_2_00401BC3
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_00401BC4 push 00401100h; ret 7_2_00401BD7
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_00401A88 push 00401100h; ret 7_2_00401B87
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_00401B88 push 00401100h; ret 7_2_00401B9B
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_00401B9C push 00401100h; ret 7_2_00401BAF
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Code function: 7_2_00401BB0 push 00401100h; ret 7_2_00401BC3
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebar Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebar Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HMIIU.bat" " Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502377 Sample: a.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 80 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 AI detected suspicious sample 2->31 7 a.exe 5 2->7         started        10 WindowsService.exe 2->10         started        12 WindowsService.exe 2->12         started        process3 file4 23 C:\Users\user\AppData\...\WindowsService.exe, PE32 7->23 dropped 14 WindowsService.exe 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 33 Antivirus detection for dropped file 14->33 35 Protects its processes via BreakOnTermination flag 14->35 37 Machine Learning detection for dropped file 14->37 19 conhost.exe 17->19         started        21 reg.exe 1 1 17->21         started        process7
No contacted IP infos