Windows Analysis Report
a.exe

Overview

General Information

Sample name: a.exe
Analysis ID: 1502378
MD5: b73211e7d1f0a1b73ce2233874a04104
SHA1: 7078418affd76b8e201fe1136b71f2c5d0c07022
SHA256: a7ca417a6f03578eb526c63f2d3ae4e189992886aea5052666e801ab4988385f
Tags: exe
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: a.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted file
Source: a.exe ReversingLabs: Detection: 84%
Source: a.exe Virustotal: Detection: 63% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: a.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: 1D 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
PE file contains executable resources (Code or Archives)
Source: a.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WindowsService.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Uses 32bit PE files
Source: a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Yara signature match
Source: 00000000.00000003.2030263025.000000000059C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal88.winEXE@11/3@0/0
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Roaming\SystemWindows\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Local\Temp\JAVWK.txt Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "
Source: a.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: a.exe ReversingLabs: Detection: 84%
Source: a.exe Virustotal: Detection: 63%
Source: C:\Users\user\Desktop\a.exe File read: C:\Users\user\Desktop\a.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\a.exe "C:\Users\user\Desktop\a.exe"
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe"
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" " Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401BC4 push 00401100h; ret 0_2_00401BD7
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401A88 push 00401100h; ret 0_2_00401B87
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401B88 push 00401100h; ret 0_2_00401B9B
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401B9C push 00401100h; ret 0_2_00401BAF
Source: C:\Users\user\Desktop\a.exe Code function: 0_2_00401BB0 push 00401100h; ret 0_2_00401BC3
Drops PE files
Source: C:\Users\user\Desktop\a.exe File created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebar Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sidebar Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\a.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JAVWK.bat" " Jump to behavior
Source: C:\Users\user\Desktop\a.exe Process created: C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\user\AppData\Roaming\SystemWindows\WindowsService.exe" /f Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502378 Sample: a.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 88 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 2 other signatures 2->31 7 a.exe 5 2->7         started        10 WindowsService.exe 2->10         started        12 WindowsService.exe 2->12         started        process3 file4 23 C:\Users\user\AppData\...\WindowsService.exe, PE32 7->23 dropped 14 WindowsService.exe 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 33 Antivirus detection for dropped file 14->33 35 Protects its processes via BreakOnTermination flag 14->35 37 Machine Learning detection for dropped file 14->37 19 conhost.exe 17->19         started        21 reg.exe 1 1 17->21         started        process7
No contacted IP infos