Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im procexp.exe
- '<SYSTEM32>\taskkill.exe' /f /im Cheat Engine.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im KsDumper.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTP Debugger Windows Service (32 bit).exe
- '<SYSTEM32>\taskkill.exe' /f /im x64dbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im x32dbg.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im Ida64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg32.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos32.exe
- '<SYSTEM32>\taskkill.exe' /f /im de4dot.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos64.exe
- '<SYSTEM32>\taskkill.exe' /f /im FiddlerEverywhere.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im Mafia Engine.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Tutorial-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im Tutorial-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im OllyDbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im KsDumperClient.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /f /im ProcessHacker.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Wireshark.exe
- '<SYSTEM32>\taskkill.exe' /f /im Fiddler.exe
- '<SYSTEM32>\taskkill.exe' /f /im procexp64.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
Launches a large number of processes
Modifies file system
Creates the following files
- nul
- %WINDIR%\temp\tar6ac.tmp
- %WINDIR%\temp\cab6ab.tmp
- %WINDIR%\temp\tar5ef.tmp
- %WINDIR%\temp\cab5ee.tmp
- %WINDIR%\temp\tar5be.tmp
- %WINDIR%\temp\cab5bd.tmp
- %WINDIR%\temp\tar520.tmp
- %WINDIR%\temp\cab51f.tmp
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\temp\tar9b.tmp
- %WINDIR%\temp\cab9a.tmp
- %WINDIR%\temp\cabf06.tmp
- %WINDIR%\temp\tarfed5.tmp
- %WINDIR%\temp\tarfe75.tmp
- %WINDIR%\temp\cabfe74.tmp
- %WINDIR%\temp\tarfd1c.tmp
- %WINDIR%\temp\cabfd1b.tmp
- %WINDIR%\temp\tarfc8e.tmp
- %WINDIR%\temp\cabfc8d.tmp
- %WINDIR%\temp\tarfab8.tmp
- %WINDIR%\temp\cabfab7.tmp
- %WINDIR%\temp\tarfa58.tmp
- %WINDIR%\temp\cabfa57.tmp
- %WINDIR%\temp\tarbaf6.tmp
- %WINDIR%\temp\cabbaf5.tmp
- %WINDIR%\temp\cabfed4.tmp
- %WINDIR%\temp\tarf07.tmp
Deletes the following files
- %WINDIR%\temp\cabbaf5.tmp
- %WINDIR%\temp\tar6ac.tmp
- %WINDIR%\temp\cab6ab.tmp
- %WINDIR%\temp\tar5ef.tmp
- %WINDIR%\temp\cab5ee.tmp
- %WINDIR%\temp\tar5be.tmp
- %WINDIR%\temp\cab5bd.tmp
- %WINDIR%\temp\tar520.tmp
- %WINDIR%\temp\cab51f.tmp
- %WINDIR%\temp\tar9b.tmp
- %WINDIR%\temp\cab9a.tmp
- %WINDIR%\temp\tarfed5.tmp
- %WINDIR%\temp\cabfed4.tmp
- %WINDIR%\temp\tarfe75.tmp
- %WINDIR%\temp\cabfe74.tmp
- %WINDIR%\temp\tarfd1c.tmp
- %WINDIR%\temp\cabfd1b.tmp
- %WINDIR%\temp\tarfc8e.tmp
- %WINDIR%\temp\cabfc8d.tmp
- %WINDIR%\temp\tarfab8.tmp
- %WINDIR%\temp\cabfab7.tmp
- %WINDIR%\temp\tarfa58.tmp
- %WINDIR%\temp\cabfa57.tmp
- %WINDIR%\temp\tarbaf6.tmp
- %WINDIR%\temp\cabf06.tmp
- %WINDIR%\temp\tarf07.tmp
Network activity
Connects to
- 'localhost':49185
- 'localhost':49187
- 'ke##uth.win':443
- 'ke##uth.win':80
- 'x1.#.lencr.org':80
- 'x2.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://x2.#.lencr.org/
Other
- 'localhost':49185
- 'localhost':49187
- 'localhost':49188
- 'ke##uth.win':443
UDP
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
- DNS ASK x2.#.lencr.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im procexp.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im de4dot.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Cheat Engine.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im OllyDbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x64dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x32dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Ida64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Fiddler.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Wireshark.exe >nul 2>&1
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im procexp64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Mafia Engine.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumperClient.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumper.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im ProcessHacker.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
