e9a77559aca2dbad88861c7f806cddd48d71f3d4e063367c85fcbe99508a79bc

General

Target

Blueberry_Fortmeme_Injector_Release.exe
Size

4.2MB
MD5

1452fde0bd476a4daa12d2e415a51fe2
SHA1

fb47580708acefe32af301b4214e6399a5a023f2
SHA256

e9a77559aca2dbad88861c7f806cddd48d71f3d4e063367c85fcbe99508a79bc
SHA512

6d94f175f8b5bfd8995bc2b7610a4a0b3bc89db12e0462d5808324f9a8c914ae7e9bce77ce4c146642ab05a944635019b8e189a6fb62fc121d43b481eda342ec
SSDEEP

98304:8byLF2yUoEBX90eYjjpzTKiTRdUtqGLkQSSqsjDpvsbdU6b:q+4BzBX9eOi1dUtDLkkqsvUdtb

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Blueberry_Fortmeme_Injector_Release.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Blueberry_Fortmeme_Injector_Release.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Blueberry_Fortmeme_Injector_Release.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2044-54-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-55-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-57-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-58-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-59-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-70-0x000000013FB30000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2044-71-0x000000013FB30000-0x0000000140620000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Blueberry_Fortmeme_Injector_Release.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Blueberry_Fortmeme_Injector_Release.exe

pid process

2044 Blueberry_Fortmeme_Injector_Release.exe

pid	process
2044	Blueberry_Fortmeme_Injector_Release.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1620	taskkill.exe
1452	taskkill.exe
924	taskkill.exe
296	taskkill.exe
1532	taskkill.exe
976	taskkill.exe
964	taskkill.exe
1088	taskkill.exe
1556	taskkill.exe
1736	taskkill.exe
1104	taskkill.exe
1996	taskkill.exe
1600	taskkill.exe
1872	taskkill.exe
1360	taskkill.exe
592	taskkill.exe
1808	taskkill.exe
828	taskkill.exe
1324	taskkill.exe
916	taskkill.exe
960	taskkill.exe
664	taskkill.exe
1356	taskkill.exe
1620	taskkill.exe
1292	taskkill.exe
1324	taskkill.exe
1600	taskkill.exe
2004	taskkill.exe
112	taskkill.exe
572	taskkill.exe
1004	taskkill.exe
1592	taskkill.exe
916	taskkill.exe
1896	taskkill.exe
1092	taskkill.exe
1356	taskkill.exe
1620	taskkill.exe
1764	taskkill.exe
860	taskkill.exe
1720	taskkill.exe
1572	taskkill.exe
1560	taskkill.exe
1956	taskkill.exe
1052	taskkill.exe
548	taskkill.exe
1136	taskkill.exe
1652	taskkill.exe
824	taskkill.exe
1004	taskkill.exe
1720	taskkill.exe
1312	taskkill.exe
1452	taskkill.exe
396	taskkill.exe
1752	taskkill.exe
616	taskkill.exe
1564	taskkill.exe
1380	taskkill.exe
788	taskkill.exe
1004	taskkill.exe
1004	taskkill.exe
1620	taskkill.exe
1600	taskkill.exe
1572	taskkill.exe
1564	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	pid	process	target process
PID 2044 wrote to memory of 912	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 2044 wrote to memory of 912	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 2044 wrote to memory of 912	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 2044 wrote to memory of 904	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 2044 wrote to memory of 904	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 2044 wrote to memory of 904	2044	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Blueberry_Fortmeme_Injector_Release.exe
"C:\Users\Admin\AppData\Local\Temp\Blueberry_Fortmeme_Injector_Release.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 8
2⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:828

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
- Kills process with taskkill
PID:1324

C:\Windows\SoftwareDistribution\Download\ZSSh6.exe
"C:\Windows\SoftwareDistribution\Download\ZSSh6.exe" -map C:\Windows\SoftwareDistribution\Download\ZSSh6.sys
2⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:892

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
PID:1192

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
PID:676

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
3⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
3⤵
- Kills process with taskkill
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
PID:516

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
- Kills process with taskkill
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:1340

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
- Kills process with taskkill
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:1808

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:904

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
- Kills process with taskkill
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:1328

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
- Kills process with taskkill
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:1324

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
- Kills process with taskkill
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:360

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:1532

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
- Kills process with taskkill
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:1088

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
- Kills process with taskkill
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:1960

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1388

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:1596

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
2⤵
PID:788

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-i386.exe
3⤵
- Kills process with taskkill
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
2⤵
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
3⤵
- Kills process with taskkill
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:828

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:1544

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
PID:296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
2⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /f /im x64dbg.exe
3⤵
- Kills process with taskkill
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
2⤵
PID:964

C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
3⤵
- Kills process with taskkill
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1004

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:1600

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:1452

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ida.exe >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /f /im ida.exe
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1564

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:924

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:880

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
- Kills process with taskkill
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:1476

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:1724

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
- Kills process with taskkill
PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
- Kills process with taskkill
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
PID:436

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
3⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
PID:1088

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
3⤵
- Kills process with taskkill
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:1360

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
- Kills process with taskkill
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1316

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:564

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:608

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
- Kills process with taskkill
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:1936

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
- Kills process with taskkill
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
- Kills process with taskkill
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:1940

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:820

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
- Kills process with taskkill
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:1200

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:1872

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
- Kills process with taskkill
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:1592

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1208

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:268

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:1576

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:1896

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
- Kills process with taskkill
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:548

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
1⤵
- Kills process with taskkill
PID:1564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SoftwareDistribution\Download\ZSSh6.exe
Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
\Windows\SoftwareDistribution\Download\ZSSh6.exe
Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
memory/2044-54-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-55-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-57-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-58-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-59-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-70-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download
memory/2044-71-0x000000013FB30000-0x0000000140620000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads