Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM BEService_fn.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM BEService.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM EasyAntiCheat.exe
- '<SYSTEM32>\taskkill.exe' /F /IM EasyAntiCheat_EOS.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM FortniteClient-Win64-Shipping.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM FortniteClient-Win64-Shipping_BE.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /F /IM FortniteClient-Win64-Shipping_EAC.exe
- '<SYSTEM32>\taskkill.exe' /F /IM FortniteClient-Win64-Shipping_EAC_EOS.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /F /IM FortniteLauncher.exe
- '<SYSTEM32>\taskkill.exe' /F /IM EpicGamesLauncher.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: 'OllYDbg'
Modifies file system
Creates the following files
- nul
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'IDA: Quick start'
- ClassName: '' WindowName: 'Memory Viewer'
- ClassName: '' WindowName: 'Process List'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'OllyDbg'
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop HTTPDebuggerPro >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker3 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker2 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker1 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop wireshark >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop npf >nul 2>&1' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c reg add HKLMSYSTEMCurrentControlSetCIConfig /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' stop BEDaisy
- '<SYSTEM32>\cmd.exe' /c sc stop EasyAntiCheat
- '<SYSTEM32>\sc.exe' stop EasyAntiCheat
- '<SYSTEM32>\cmd.exe' /c sc stop EasyAntiCheat_EOS
- '<SYSTEM32>\sc.exe' stop EasyAntiCheat_EOS
- '<SYSTEM32>\cmd.exe' /c cls
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM FortniteClient-Win64-Shipping_EAC.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\cmd.exe' /C sc stop wireshark >nul 2>&1
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop BEDaisy
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM BEService_fn.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM BEService.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c Color 0C
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM EpicGamesLauncher.exe
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM FortniteLauncher.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM FortniteClient-Win64-Shipping_EAC_EOS.exe
- '<SYSTEM32>\cmd.exe' /C sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop npf >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM FortniteClient-Win64-Shipping_BE.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM FortniteClient-Win64-Shipping.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM EasyAntiCheat_EOS.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM EasyAntiCheat.exe
- '<SYSTEM32>\reg.exe' add HKLMSYSTEMCurrentControlSetCIConfig /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
