Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im epicgameslauncher.exe
- '<SYSTEM32>\taskkill.exe' /f /im EpicWebHelper.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteClient - Win64 - Shipping_EAC.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteClient - Win64 - Shipping_BE.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteLauncher.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteClient - Win64 - Shipping.exe
- '<SYSTEM32>\taskkill.exe' /f /im EasyAntiCheat.exe
- '<SYSTEM32>\taskkill.exe' /f /im BEService.exe
- '<SYSTEM32>\taskkill.exe' /f /im BEServices.exe
- '<SYSTEM32>\taskkill.exe' /f /im BattleEye.exe
Modifies file system
Creates the following files
- nul
- %WINDIR%\temp\tare44d.tmp
- %WINDIR%\temp\cabe44c.tmp
- %WINDIR%\temp\tare2b6.tmp
- %WINDIR%\temp\cabe2a5.tmp
- %WINDIR%\temp\tare246.tmp
- %WINDIR%\temp\cabe245.tmp
- %WINDIR%\temp\tare0af.tmp
- %WINDIR%\temp\cabe0ae.tmp
- %WINDIR%\temp\tare040.tmp
- %WINDIR%\temp\cabe03f.tmp
- %WINDIR%\temp\tarde98.tmp
- %WINDIR%\temp\cabedb1.tmp
- %WINDIR%\temp\cabde97.tmp
- %WINDIR%\temp\cabde28.tmp
- %WINDIR%\temp\tardca1.tmp
- %WINDIR%\temp\cabdca0.tmp
- %WINDIR%\temp\tardc51.tmp
- %WINDIR%\temp\cabdc50.tmp
- %WINDIR%\temp\tardc01.tmp
- %WINDIR%\temp\cabdc00.tmp
- %WINDIR%\temp\tardb82.tmp
- %WINDIR%\temp\cabdb81.tmp
- %WINDIR%\temp\tard910.tmp
- %WINDIR%\temp\cabd90f.tmp
- %WINDIR%\temp\tarde29.tmp
- %WINDIR%\temp\taredb2.tmp
Deletes the following files
- %WINDIR%\temp\cabd90f.tmp
- %WINDIR%\temp\tare44d.tmp
- %WINDIR%\temp\cabe44c.tmp
- %WINDIR%\temp\tare2b6.tmp
- %WINDIR%\temp\cabe2a5.tmp
- %WINDIR%\temp\tare246.tmp
- %WINDIR%\temp\cabe245.tmp
- %WINDIR%\temp\tare0af.tmp
- %WINDIR%\temp\cabe0ae.tmp
- %WINDIR%\temp\tare040.tmp
- %WINDIR%\temp\cabe03f.tmp
- %WINDIR%\temp\tarde98.tmp
- %WINDIR%\temp\cabde97.tmp
- %WINDIR%\temp\tarde29.tmp
- %WINDIR%\temp\cabde28.tmp
- %WINDIR%\temp\tardca1.tmp
- %WINDIR%\temp\cabdca0.tmp
- %WINDIR%\temp\tardc51.tmp
- %WINDIR%\temp\cabdc50.tmp
- %WINDIR%\temp\tardc01.tmp
- %WINDIR%\temp\cabdc00.tmp
- %WINDIR%\temp\tardb82.tmp
- %WINDIR%\temp\cabdb81.tmp
- %WINDIR%\temp\tard910.tmp
- %WINDIR%\temp\cabedb1.tmp
- %WINDIR%\temp\taredb2.tmp
Network activity
Connects to
- 'localhost':49181
- 'localhost':49183
- 'ke##uth.win':443
- 'ke##uth.win':80
- 'x1.#.lencr.org':80
- 'x2.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://x2.#.lencr.org/
Other
- 'localhost':49181
- 'localhost':49183
- 'localhost':49184
- 'ke##uth.win':443
UDP
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
- DNS ASK x2.#.lencr.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'IDA: Quick start'
- ClassName: '' WindowName: 'Memory Viewer'
- ClassName: '' WindowName: 'Process List'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'OllyDbg'
Executes the following
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c cls
- '<SYSTEM32>\sc.exe' stop EasyAntiCheat
- '<SYSTEM32>\cmd.exe' /c sc stop EasyAntiCheat
- '<SYSTEM32>\sc.exe' stop BattlEye Service
- '<SYSTEM32>\cmd.exe' /c sc stop BattlEye Service
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im BattleEye.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im BEServices.exe > nul
- '<SYSTEM32>\cmd.exe' /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im BEService.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteLauncher.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im EpicWebHelper.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im epicgameslauncher.exe > nul
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im EasyAntiCheat.exe > nul
- '<SYSTEM32>\timeout.exe' /t 5
