Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
201s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 17:48
General
-
Target
NEAS.2845d2c47e82803641cbf778a1ed9e10.exe
-
Size
101KB
-
MD5
2845d2c47e82803641cbf778a1ed9e10
-
SHA1
cc248904680364348e5a894bc997661a8d57f823
-
SHA256
c87cc712b1cfe4f7fc6721562adee611f1d2d047a8bb07208bb6a18183001c2c
-
SHA512
d6ed8d2725b6d43a198dd40c84571c5c6b6fb6151189627b1ce394a9cab1a3ca3d723e6a3979e7a0159cbb003ae641c7beb2e6793c182cb713710fbf530ddaaf
-
SSDEEP
3072:CnfXNmt43x2ug3QduXqbyu0sY7q5AnrHY4vDX:Co4Qug3X853Anr44vDX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2845d2c47e82803641cbf778a1ed9e10.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2845d2c47e82803641cbf778a1ed9e10.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe23⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe35⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe38⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe43⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe55⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe58⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe61⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Odnfonag.exeC:\Windows\system32\Odnfonag.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe66⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe67⤵
-
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe68⤵
-
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe69⤵
-
C:\Windows\SysWOW64\Komhkn32.exeC:\Windows\system32\Komhkn32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Hpeejfjm.exeC:\Windows\system32\Hpeejfjm.exe71⤵
-
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe72⤵
-
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cpljdjnd.exeC:\Windows\system32\Cpljdjnd.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dekobaki.exeC:\Windows\system32\Dekobaki.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dhjknljl.exeC:\Windows\system32\Dhjknljl.exe76⤵
-
C:\Windows\SysWOW64\Dcalae32.exeC:\Windows\system32\Dcalae32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Echbad32.exeC:\Windows\system32\Echbad32.exe78⤵
-
C:\Windows\SysWOW64\Efgono32.exeC:\Windows\system32\Efgono32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Eplckh32.exeC:\Windows\system32\Eplckh32.exe80⤵
-
C:\Windows\SysWOW64\Eflhiolf.exeC:\Windows\system32\Eflhiolf.exe81⤵
-
C:\Windows\SysWOW64\Fqcilgji.exeC:\Windows\system32\Fqcilgji.exe82⤵
-
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Fmjjqhpn.exeC:\Windows\system32\Fmjjqhpn.exe84⤵
-
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe85⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ffekom32.exeC:\Windows\system32\Ffekom32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Fmoclg32.exeC:\Windows\system32\Fmoclg32.exe87⤵
-
C:\Windows\SysWOW64\Fblldn32.exeC:\Windows\system32\Fblldn32.exe88⤵
-
C:\Windows\SysWOW64\Gpgbna32.exeC:\Windows\system32\Gpgbna32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Giofggia.exeC:\Windows\system32\Giofggia.exe90⤵
-
C:\Windows\SysWOW64\Hifmhf32.exeC:\Windows\system32\Hifmhf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe92⤵
-
C:\Windows\SysWOW64\Hihimfag.exeC:\Windows\system32\Hihimfag.exe93⤵
-
C:\Windows\SysWOW64\Hcnnjoam.exeC:\Windows\system32\Hcnnjoam.exe94⤵
-
C:\Windows\SysWOW64\Hikfbeod.exeC:\Windows\system32\Hikfbeod.exe95⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hjjbmhfg.exeC:\Windows\system32\Hjjbmhfg.exe96⤵
-
C:\Windows\SysWOW64\Hpgkeodo.exeC:\Windows\system32\Hpgkeodo.exe97⤵
-
C:\Windows\SysWOW64\Iippne32.exeC:\Windows\system32\Iippne32.exe98⤵
-
C:\Windows\SysWOW64\Iafgob32.exeC:\Windows\system32\Iafgob32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Ifcpgiji.exeC:\Windows\system32\Ifcpgiji.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Iiblcdil.exeC:\Windows\system32\Iiblcdil.exe101⤵
-
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe102⤵
-
C:\Windows\SysWOW64\Ijaimg32.exeC:\Windows\system32\Ijaimg32.exe103⤵
-
C:\Windows\SysWOW64\Ipnaen32.exeC:\Windows\system32\Ipnaen32.exe104⤵
-
C:\Windows\SysWOW64\Ifhibhfc.exeC:\Windows\system32\Ifhibhfc.exe105⤵
-
C:\Windows\SysWOW64\Jikojcaa.exeC:\Windows\system32\Jikojcaa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jabgkpad.exeC:\Windows\system32\Jabgkpad.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jaddpppa.exeC:\Windows\system32\Jaddpppa.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jbfphh32.exeC:\Windows\system32\Jbfphh32.exe109⤵
-
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe110⤵
-
C:\Windows\SysWOW64\Jjoeoedo.exeC:\Windows\system32\Jjoeoedo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jdhigk32.exeC:\Windows\system32\Jdhigk32.exe112⤵
-
C:\Windows\SysWOW64\Jaljaoii.exeC:\Windows\system32\Jaljaoii.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kkdnjd32.exeC:\Windows\system32\Kkdnjd32.exe114⤵
-
C:\Windows\SysWOW64\Kdlcbjfj.exeC:\Windows\system32\Kdlcbjfj.exe115⤵
-
C:\Windows\SysWOW64\Kiikkada.exeC:\Windows\system32\Kiikkada.exe116⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kkihedld.exeC:\Windows\system32\Kkihedld.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kabpan32.exeC:\Windows\system32\Kabpan32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kcdmifip.exeC:\Windows\system32\Kcdmifip.exe119⤵
-
C:\Windows\SysWOW64\Kaemgn32.exeC:\Windows\system32\Kaemgn32.exe120⤵
-
C:\Windows\SysWOW64\Kcfiof32.exeC:\Windows\system32\Kcfiof32.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-