32d262678e6d4dfc8d1c7e526054cee75a36a874bd8bc9b9f6e657f68ec8f1ea

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
Size

92KB
MD5

3f595b1921a904b90529846fa57a4190
SHA1

b17f21d4cc0d9c21418e5b25da3029425fd0126c
SHA256

32d262678e6d4dfc8d1c7e526054cee75a36a874bd8bc9b9f6e657f68ec8f1ea
SHA512

6fec913d6d8dee3c1fd01f11b5d399f43013e8582c82e3e6cc55e6069ad24f1b47b2e3e6d9e1ddc6b21a947aaa817f18af35adb6d3ad0a1159bf2df27d7cdb7b
SSDEEP

1536:VdyDm3xH/6TpJ7hrpmkhucjmzjHHqXojhbZLF96lotSoDTRnwvpw:/M8xHSPxg/jqXoN1WldcBUw

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 40 IoCs

pid	Process
1888	qeijdsfhst.exe
2756	qeijdsfhst.exe
2748	qeijdsfhst.exe
2820	qeijdsfhst.exe
2284	qeijdsfhst.exe
2044	qeijdsfhst.exe
2040	qeijdsfhst.exe
1848	qeijdsfhst.exe
2060	qeijdsfhst.exe
2388	qeijdsfhst.exe
1484	qeijdsfhst.exe
708	qeijdsfhst.exe
2336	qeijdsfhst.exe
1472	qeijdsfhst.exe
2524	qeijdsfhst.exe
1752	qeijdsfhst.exe
112	qeijdsfhst.exe
1564	qeijdsfhst.exe
3028	qeijdsfhst.exe
2900	qeijdsfhst.exe
2576	qeijdsfhst.exe
2724	qeijdsfhst.exe
2748	qeijdsfhst.exe
1912	qeijdsfhst.exe
2284	qeijdsfhst.exe
640	qeijdsfhst.exe
2416	qeijdsfhst.exe
2404	qeijdsfhst.exe
316	qeijdsfhst.exe
968	qeijdsfhst.exe
2468	qeijdsfhst.exe
2536	qeijdsfhst.exe
2116	qeijdsfhst.exe
576	qeijdsfhst.exe
3016	qeijdsfhst.exe
928	qeijdsfhst.exe
2232	qeijdsfhst.exe
2896	qeijdsfhst.exe
2828	qeijdsfhst.exe
2716	qeijdsfhst.exe

Identifies Wine through registry keys 2 TTPs 21 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	qeijdsfhst.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	qeijdsfhst.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 1888 set thread context of 2756	1888	qeijdsfhst.exe	33
PID 2748 set thread context of 2820	2748	qeijdsfhst.exe	35
PID 2284 set thread context of 2044	2284	qeijdsfhst.exe	37
PID 2040 set thread context of 1848	2040	qeijdsfhst.exe	39
PID 2060 set thread context of 2388	2060	qeijdsfhst.exe	41
PID 1484 set thread context of 708	1484	qeijdsfhst.exe	43
PID 2336 set thread context of 1472	2336	qeijdsfhst.exe	45
PID 2524 set thread context of 1752	2524	qeijdsfhst.exe	47
PID 112 set thread context of 1564	112	qeijdsfhst.exe	49
PID 3028 set thread context of 2900	3028	qeijdsfhst.exe	51
PID 2576 set thread context of 2724	2576	qeijdsfhst.exe	53
PID 2748 set thread context of 1912	2748	qeijdsfhst.exe	55
PID 2284 set thread context of 640	2284	qeijdsfhst.exe	57
PID 2416 set thread context of 2404	2416	qeijdsfhst.exe	59
PID 316 set thread context of 968	316	qeijdsfhst.exe	61
PID 2468 set thread context of 2536	2468	qeijdsfhst.exe	63
PID 2116 set thread context of 576	2116	qeijdsfhst.exe	65
PID 3016 set thread context of 928	3016	qeijdsfhst.exe	67
PID 2232 set thread context of 2896	2232	qeijdsfhst.exe	69
PID 2828 set thread context of 2716	2828	qeijdsfhst.exe	71

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File opened for modification	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe
File created	\??\c:\windows\qeijdsfhst.exe	qeijdsfhst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
1888	qeijdsfhst.exe
2748	qeijdsfhst.exe
2284	qeijdsfhst.exe
2040	qeijdsfhst.exe
2060	qeijdsfhst.exe
1484	qeijdsfhst.exe
2336	qeijdsfhst.exe
2524	qeijdsfhst.exe
112	qeijdsfhst.exe
3028	qeijdsfhst.exe
2576	qeijdsfhst.exe
2748	qeijdsfhst.exe
2284	qeijdsfhst.exe
2416	qeijdsfhst.exe
316	qeijdsfhst.exe
2468	qeijdsfhst.exe
2116	qeijdsfhst.exe
3016	qeijdsfhst.exe
2232	qeijdsfhst.exe
2828	qeijdsfhst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 2956 wrote to memory of 3004	2956	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	31
PID 3004 wrote to memory of 1888	3004	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1888	3004	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1888	3004	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1888	3004	3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe	32
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 1888 wrote to memory of 2756	1888	qeijdsfhst.exe	33
PID 2756 wrote to memory of 2748	2756	qeijdsfhst.exe	34
PID 2756 wrote to memory of 2748	2756	qeijdsfhst.exe	34
PID 2756 wrote to memory of 2748	2756	qeijdsfhst.exe	34
PID 2756 wrote to memory of 2748	2756	qeijdsfhst.exe	34
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2748 wrote to memory of 2820	2748	qeijdsfhst.exe	35
PID 2820 wrote to memory of 2284	2820	qeijdsfhst.exe	36
PID 2820 wrote to memory of 2284	2820	qeijdsfhst.exe	36
PID 2820 wrote to memory of 2284	2820	qeijdsfhst.exe	36
PID 2820 wrote to memory of 2284	2820	qeijdsfhst.exe	36
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37
PID 2284 wrote to memory of 2044	2284	qeijdsfhst.exe	37

C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3f595b1921a904b90529846fa57a4190_JaffaCakes118.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\windows\qeijdsfhst.exe
    "C:\windows\qeijdsfhst.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\windows\qeijdsfhst.exe
      C:\windows\qeijdsfhst.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2044
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1848
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2388
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:708
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        15⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1472
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        17⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1752
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        19⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1564
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        21⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2900
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        23⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2724
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        25⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1912
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        27⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:640
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        29⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2404
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        31⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:968
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        33⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2536
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        35⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:576
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        37⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:928
        
        C:\windows\qeijdsfhst.exe
        
        "C:\windows\qeijdsfhst.exe"
        39⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\windows\qeijdsfhst.exe
        
        C:\windows\qeijdsfhst.exe
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2896
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        "C:\Users\Admin\appdata\local\qeijdsfhst.exe"
        41⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        
        C:\Users\Admin\appdata\local\qeijdsfhst.exe
        42⤵
        Executes dropped EXE
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\qeijdsfhst.exe

Filesize
92KB

MD5
3f595b1921a904b90529846fa57a4190

SHA1
b17f21d4cc0d9c21418e5b25da3029425fd0126c

SHA256
32d262678e6d4dfc8d1c7e526054cee75a36a874bd8bc9b9f6e657f68ec8f1ea

SHA512
6fec913d6d8dee3c1fd01f11b5d399f43013e8582c82e3e6cc55e6069ad24f1b47b2e3e6d9e1ddc6b21a947aaa817f18af35adb6d3ad0a1159bf2df27d7cdb7b

Download Submit
memory/2756-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2756-53-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2756-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2820-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2820-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3004-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download