Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq idaq*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq procmon*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq idaq64*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\net.exe' stop ESEADriver2
- '<SYSTEM32>\net.exe' stop FACEIT
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T
Modifies file system
Creates the following files
- nul
- %WINDIR%\temp\tar73f3.tmp
- %WINDIR%\temp\cab73f2.tmp
- %WINDIR%\temp\tar5e01.tmp
- %WINDIR%\temp\cab5e00.tmp
- %WINDIR%\temp\tar5d91.tmp
- %WINDIR%\temp\cab5d90.tmp
- %WINDIR%\temp\tar47bf.tmp
- %WINDIR%\temp\cab47be.tmp
- %WINDIR%\temp\tar4730.tmp
- %WINDIR%\temp\cab472f.tmp
- %WINDIR%\temp\tar310f.tmp
- %WINDIR%\temp\cab310e.tmp
- %WINDIR%\temp\tar3071.tmp
- %WINDIR%\temp\cabb6fc.tmp
- %WINDIR%\temp\cab3070.tmp
- %WINDIR%\temp\cab1aeb.tmp
- %WINDIR%\temp\tar1abc.tmp
- %WINDIR%\temp\cab1abb.tmp
- %WINDIR%\temp\tar1a6c.tmp
- %WINDIR%\temp\cab1a6b.tmp
- %WINDIR%\temp\tar1a2b.tmp
- %WINDIR%\temp\cab1a1b.tmp
- %WINDIR%\temp\tar36e.tmp
- %WINDIR%\temp\cab36d.tmp
- %WINDIR%\temp\tar273.tmp
- %WINDIR%\temp\cab272.tmp
- %WINDIR%\temp\tarea4f.tmp
- %WINDIR%\temp\cabea4e.tmp
- %WINDIR%\temp\tar1aec.tmp
- %WINDIR%\temp\tarb6fd.tmp
Deletes the following files
- %WINDIR%\temp\cabea4e.tmp
- %WINDIR%\temp\tar73f3.tmp
- %WINDIR%\temp\cab73f2.tmp
- %WINDIR%\temp\tar5e01.tmp
- %WINDIR%\temp\cab5e00.tmp
- %WINDIR%\temp\tar5d91.tmp
- %WINDIR%\temp\cab5d90.tmp
- %WINDIR%\temp\tar47bf.tmp
- %WINDIR%\temp\cab47be.tmp
- %WINDIR%\temp\tar4730.tmp
- %WINDIR%\temp\cab472f.tmp
- %WINDIR%\temp\tar310f.tmp
- %WINDIR%\temp\cab310e.tmp
- %WINDIR%\temp\tar3071.tmp
- %WINDIR%\temp\cab3070.tmp
- %WINDIR%\temp\tar1aec.tmp
- %WINDIR%\temp\cab1aeb.tmp
- %WINDIR%\temp\tar1abc.tmp
- %WINDIR%\temp\cab1abb.tmp
- %WINDIR%\temp\tar1a6c.tmp
- %WINDIR%\temp\cab1a6b.tmp
- %WINDIR%\temp\tar1a2b.tmp
- %WINDIR%\temp\cab1a1b.tmp
- %WINDIR%\temp\tar36e.tmp
- %WINDIR%\temp\cab36d.tmp
- %WINDIR%\temp\tar273.tmp
- %WINDIR%\temp\cab272.tmp
- %WINDIR%\temp\tarea4f.tmp
- %WINDIR%\temp\cabb6fc.tmp
- %WINDIR%\temp\tarb6fd.tmp
Network activity
Connects to
- 'localhost':49185
- 'localhost':49187
- 'ke##uth.win':443
- 'x1.#.lencr.org':80
- 'x2.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://x2.#.lencr.org/
Other
- 'localhost':49185
- 'localhost':49187
- 'localhost':49188
- 'ke##uth.win':443
UDP
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
- DNS ASK x2.#.lencr.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'KsDumperClient.exe'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'Process List'
- ClassName: '' WindowName: 'Memory Viewer'
- ClassName: '' WindowName: 'IDA: Quick start'
- ClassName: '' WindowName: 'x64dbg.exe'
- ClassName: '' WindowName: 'KsDumper.exe'
- ClassName: '' WindowName: 'HTTP Debugger Windows Service (32 bit).exe'
- ClassName: '' WindowName: 'Cheat Engine.exe'
- ClassName: '' WindowName: 'Xenos64.exe'
- ClassName: '' WindowName: 'Fiddler.exe'
- ClassName: '' WindowName: 'Wireshark.exe'
- ClassName: '' WindowName: 'idaq64.exe'
- ClassName: '' WindowName: 'idaq.exe'
- ClassName: '' WindowName: 'procmon.exe'
- ClassName: '' WindowName: 'ProcessHacker.exe'
- ClassName: '' WindowName: 'FolderChangesView.exe'
- ClassName: '' WindowName: 'HTTPDebuggerSvc.exe'
- ClassName: '' WindowName: 'HTTPDebuggerUI.exe'
- ClassName: '' WindowName: 'OllyDbg'
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop npf >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq procmon*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq idaq*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq idaq64*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop wireshark >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c net stop FACEIT >nul 2>&1
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\net1.exe' stop FACEIT
- '<SYSTEM32>\cmd.exe' /c net stop ESEADriver2 >nul 2>&1
- '<SYSTEM32>\net1.exe' stop ESEADriver2
- '<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
