e9a77559aca2dbad88861c7f806cddd48d71f3d4e063367c85fcbe99508a79bc

General

Target

Blueberry_Fortmeme_Injector_Release.exe
Size

4.2MB
MD5

1452fde0bd476a4daa12d2e415a51fe2
SHA1

fb47580708acefe32af301b4214e6399a5a023f2
SHA256

e9a77559aca2dbad88861c7f806cddd48d71f3d4e063367c85fcbe99508a79bc
SHA512

6d94f175f8b5bfd8995bc2b7610a4a0b3bc89db12e0462d5808324f9a8c914ae7e9bce77ce4c146642ab05a944635019b8e189a6fb62fc121d43b481eda342ec
SSDEEP

98304:8byLF2yUoEBX90eYjjpzTKiTRdUtqGLkQSSqsjDpvsbdU6b:q+4BzBX9eOi1dUtDLkkqsvUdtb

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Blueberry_Fortmeme_Injector_Release.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Blueberry_Fortmeme_Injector_Release.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Blueberry_Fortmeme_Injector_Release.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4544-133-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-134-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-135-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-136-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-137-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-138-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-147-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida
behavioral2/memory/4544-161-0x00007FF637180000-0x00007FF637C70000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Blueberry_Fortmeme_Injector_Release.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Blueberry_Fortmeme_Injector_Release.exe

pid process

4544 Blueberry_Fortmeme_Injector_Release.exe

pid	process
4544	Blueberry_Fortmeme_Injector_Release.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3436	taskkill.exe
3320	taskkill.exe
3908	taskkill.exe
5100	taskkill.exe
1172	taskkill.exe
4252	taskkill.exe
5048	taskkill.exe
2784	taskkill.exe
1372	taskkill.exe
4520	taskkill.exe
3132	taskkill.exe
3468	taskkill.exe
3324	taskkill.exe
5084	taskkill.exe
4636	taskkill.exe
3380	taskkill.exe
3672	taskkill.exe
4752	taskkill.exe
1176	taskkill.exe
5032	taskkill.exe
4936	taskkill.exe
540	taskkill.exe
4500	taskkill.exe
3220	taskkill.exe
4756	taskkill.exe
1728	taskkill.exe
4284	taskkill.exe
3456	taskkill.exe
4580	taskkill.exe
532	taskkill.exe
1444	taskkill.exe
3152	taskkill.exe
4748	taskkill.exe
3732	taskkill.exe
2032	taskkill.exe
4348	taskkill.exe
628	taskkill.exe
632	taskkill.exe
1484	taskkill.exe
4012	taskkill.exe
4704	taskkill.exe
2288	taskkill.exe
4776	taskkill.exe
2572	taskkill.exe
4648	taskkill.exe
4688	taskkill.exe
3032	taskkill.exe
996	taskkill.exe
2476	taskkill.exe
4144	taskkill.exe
5024	taskkill.exe
3280	taskkill.exe
320	taskkill.exe
4868	taskkill.exe
5068	taskkill.exe
4176	taskkill.exe
5044	taskkill.exe
2760	taskkill.exe
5016	taskkill.exe
4148	taskkill.exe
404	taskkill.exe
4268	taskkill.exe
216	taskkill.exe
1400	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Blueberry_Fortmeme_Injector_Release.exe

description	pid	process	target process
PID 4544 wrote to memory of 4912	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 4544 wrote to memory of 4912	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 4544 wrote to memory of 828	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 4544 wrote to memory of 828	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 4544 wrote to memory of 1372	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe
PID 4544 wrote to memory of 1372	4544	Blueberry_Fortmeme_Injector_Release.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Blueberry_Fortmeme_Injector_Release.exe
"C:\Users\Admin\AppData\Local\Temp\Blueberry_Fortmeme_Injector_Release.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 8
2⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:1372

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
PID:2516

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
- Kills process with taskkill
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
- Kills process with taskkill
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:3392

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:4968

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
- Kills process with taskkill
PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:3408

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
- Kills process with taskkill
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:3472

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:4960

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
- Kills process with taskkill
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:3824

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:2652

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:4796

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:2740

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:628

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-i386.exe
3⤵
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
2⤵
PID:4456

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
3⤵
- Kills process with taskkill
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:1580

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
2⤵
PID:4356

C:\Windows\system32\taskkill.exe
taskkill /f /im x64dbg.exe
3⤵
- Kills process with taskkill
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
2⤵
PID:828

C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
3⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2288

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4740

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:2788

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ida.exe >nul 2>&1
2⤵
PID:4476

C:\Windows\system32\taskkill.exe
taskkill /f /im ida.exe
3⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4064

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:840

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
- Kills process with taskkill
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:224

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:1492

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
PID:1028

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
- Kills process with taskkill
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
PID:4256

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
3⤵
- Kills process with taskkill
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
PID:4576

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
3⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:388

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:4920

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:5028

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:3656

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
PID:2816

C:\Windows\SoftwareDistribution\Download\PtcR4.exe
"C:\Windows\SoftwareDistribution\Download\PtcR4.exe" -map C:\Windows\SoftwareDistribution\Download\PtcR4.sys
2⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:1640

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:4328

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:4472

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:4912

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:3084

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:4116

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:2300

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:5040

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:4620

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
- Kills process with taskkill
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:4616

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
2⤵
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-i386.exe
3⤵
- Kills process with taskkill
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
2⤵
PID:4180

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
3⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:772

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:2096

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
2⤵
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /f /im x64dbg.exe
3⤵
- Kills process with taskkill
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
2⤵
PID:5100

C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
3⤵
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4500

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2848

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:3876

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:4576

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:3128

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ida.exe >nul 2>&1
2⤵
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im ida.exe
3⤵
- Kills process with taskkill
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:3824

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4908

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
- Kills process with taskkill
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:3156

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
- Kills process with taskkill
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
PID:4744

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
- Kills process with taskkill
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
PID:3640

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
3⤵
- Kills process with taskkill
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
PID:3520

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
PID:4328

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
3⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
- Kills process with taskkill
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:4472

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:4356

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
- Kills process with taskkill
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4676

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1956

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:5044

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:4264

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:4680

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:3268

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:2096

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:1872

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
1⤵
- Kills process with taskkill
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
1⤵
- Kills process with taskkill
PID:5048

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
1⤵
- Kills process with taskkill
PID:5032

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
1⤵
- Kills process with taskkill
PID:5044

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
1⤵
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
1⤵
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:996

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:3908

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
1⤵
PID:3240

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
1⤵
- Kills process with taskkill
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SoftwareDistribution\Download\PtcR4.exe
Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
C:\Windows\SoftwareDistribution\Download\PtcR4.exe
Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
C:\Windows\SoftwareDistribution\Download\PtcR4.exe
Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
memory/2760-141-0x00007FFB26831000-0x00007FFB26832000-memory.dmp

Filesize
4KB

Download
memory/4544-133-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-134-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-135-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-136-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-137-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-138-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-147-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download
memory/4544-161-0x00007FF637180000-0x00007FF637C70000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads