Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im EasyAntiCheat_EOS.exe
- '<SYSTEM32>\taskkill.exe' /f /im r5apex.exe
- '<SYSTEM32>\taskkill.exe' /f /im EpicGamesLauncher.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteClient-Win64-Shipping.exe
- '<SYSTEM32>\taskkill.exe' /f /im FortniteClient-Win64-Shipping_EAC_EOS
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Searches for windows to
detect analytical utilities:
- ClassName: 'TIdaWindow', WindowName: ''
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im FortniteClient-Win64-Shipping_EAC_EOS
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop wireshark >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c cls
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /C sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\cmd.exe' /C sc stop npf >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im r5apex.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im EpicGamesLauncher.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im EasyAntiCheat_EOS.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im FortniteClient-Win64-Shipping.exe
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im FortniteClient-Win64-Shipping.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker2 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker1 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop wireshark >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop npf >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im FortniteClient-Win64-Shipping_EAC_EOS' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im EpicGamesLauncher.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im r5apex.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop HTTPDebuggerPro >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C sc stop KProcessHacker3 >nul 2>&1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /f /im EasyAntiCheat_EOS.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1' (with hidden window)
