Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
223s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
-
Size
235KB
-
MD5
65aba33aa73bd605e877e0902babeda5
-
SHA1
fe4f38d59f1c40492fa02fe22027079b75e2c181
-
SHA256
6221daf26a75208044156a28c43bed209741059ae402a7859735ac789e9005dd
-
SHA512
0028a26fa3c77906afcd3f14d5f67c17eda9fda6f397ac4cf88e0fe520e4a1bf6f60f60b9c67f876c3232e3a4b299fb1471e81e5dfea82e0774c4e0e3001f842
-
SSDEEP
6144:BBlkZvaF4NTBPrwaPBzKs6AkJLx8AogS/pFgELQX:BoSWNTd1t+aAQgELK
Malware Config
Signatures
-
Kills process with taskkill 13 IoCs
pid Process 2040 taskkill.exe 1816 taskkill.exe 1292 taskkill.exe 4584 taskkill.exe 3592 taskkill.exe 3520 taskkill.exe 3216 taskkill.exe 1412 taskkill.exe 956 taskkill.exe 1552 taskkill.exe 556 taskkill.exe 4008 taskkill.exe 4108 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 3520 taskkill.exe Token: SeDebugPrivilege 4008 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 3216 taskkill.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 4108 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 4584 taskkill.exe Token: SeDebugPrivilege 3592 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 4524 1476 hwinfo32.exe 84 PID 1476 wrote to memory of 4524 1476 hwinfo32.exe 84 PID 4524 wrote to memory of 956 4524 cmd.exe 86 PID 4524 wrote to memory of 956 4524 cmd.exe 86 PID 4524 wrote to memory of 3520 4524 cmd.exe 88 PID 4524 wrote to memory of 3520 4524 cmd.exe 88 PID 4524 wrote to memory of 4008 4524 cmd.exe 89 PID 4524 wrote to memory of 4008 4524 cmd.exe 89 PID 4524 wrote to memory of 2040 4524 cmd.exe 90 PID 4524 wrote to memory of 2040 4524 cmd.exe 90 PID 4524 wrote to memory of 1552 4524 cmd.exe 92 PID 4524 wrote to memory of 1552 4524 cmd.exe 92 PID 4524 wrote to memory of 3216 4524 cmd.exe 93 PID 4524 wrote to memory of 3216 4524 cmd.exe 93 PID 4524 wrote to memory of 1816 4524 cmd.exe 94 PID 4524 wrote to memory of 1816 4524 cmd.exe 94 PID 4524 wrote to memory of 1412 4524 cmd.exe 95 PID 4524 wrote to memory of 1412 4524 cmd.exe 95 PID 4524 wrote to memory of 1292 4524 cmd.exe 96 PID 4524 wrote to memory of 1292 4524 cmd.exe 96 PID 4524 wrote to memory of 4108 4524 cmd.exe 97 PID 4524 wrote to memory of 4108 4524 cmd.exe 97 PID 4524 wrote to memory of 556 4524 cmd.exe 99 PID 4524 wrote to memory of 556 4524 cmd.exe 99 PID 4524 wrote to memory of 4584 4524 cmd.exe 100 PID 4524 wrote to memory of 4584 4524 cmd.exe 100 PID 4524 wrote to memory of 3592 4524 cmd.exe 101 PID 4524 wrote to memory of 3592 4524 cmd.exe 101 PID 4524 wrote to memory of 4528 4524 cmd.exe 102 PID 4524 wrote to memory of 4528 4524 cmd.exe 102 PID 4524 wrote to memory of 1628 4524 cmd.exe 103 PID 4524 wrote to memory of 1628 4524 cmd.exe 103 PID 4524 wrote to memory of 4728 4524 cmd.exe 104 PID 4524 wrote to memory of 4728 4524 cmd.exe 104 PID 4524 wrote to memory of 1636 4524 cmd.exe 105 PID 4524 wrote to memory of 1636 4524 cmd.exe 105 PID 4524 wrote to memory of 2656 4524 cmd.exe 106 PID 4524 wrote to memory of 2656 4524 cmd.exe 106 PID 4524 wrote to memory of 1108 4524 cmd.exe 107 PID 4524 wrote to memory of 1108 4524 cmd.exe 107 PID 4524 wrote to memory of 4064 4524 cmd.exe 108 PID 4524 wrote to memory of 4064 4524 cmd.exe 108 PID 4524 wrote to memory of 3204 4524 cmd.exe 109 PID 4524 wrote to memory of 3204 4524 cmd.exe 109 PID 4524 wrote to memory of 1340 4524 cmd.exe 110 PID 4524 wrote to memory of 1340 4524 cmd.exe 110 PID 4524 wrote to memory of 2720 4524 cmd.exe 111 PID 4524 wrote to memory of 2720 4524 cmd.exe 111 PID 4524 wrote to memory of 5052 4524 cmd.exe 112 PID 4524 wrote to memory of 5052 4524 cmd.exe 112 PID 4524 wrote to memory of 5044 4524 cmd.exe 113 PID 4524 wrote to memory of 5044 4524 cmd.exe 113 PID 4524 wrote to memory of 4400 4524 cmd.exe 114 PID 4524 wrote to memory of 4400 4524 cmd.exe 114 PID 4524 wrote to memory of 3764 4524 cmd.exe 115 PID 4524 wrote to memory of 3764 4524 cmd.exe 115 PID 4524 wrote to memory of 4332 4524 cmd.exe 116 PID 4524 wrote to memory of 4332 4524 cmd.exe 116 PID 4524 wrote to memory of 2436 4524 cmd.exe 117 PID 4524 wrote to memory of 2436 4524 cmd.exe 117 PID 4524 wrote to memory of 820 4524 cmd.exe 118 PID 4524 wrote to memory of 820 4524 cmd.exe 118 PID 4524 wrote to memory of 2396 4524 cmd.exe 119 PID 4524 wrote to memory of 2396 4524 cmd.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\.DEFAULT\Software\Epic Games" /f3⤵PID:4528
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:1628
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\204ecad0-2ffb-4b38-b78e-9abdba56e0ca" /f3⤵PID:4728
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\6b64878b-0bcf-41ea-9d66-e883da2aae74" /f3⤵PID:1636
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.eos" /f3⤵PID:2656
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f3⤵PID:1108
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:4064
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:3204
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:1340
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f3⤵PID:2720
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:5052
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:5044
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:4400
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f3⤵PID:3764
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:4332
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:2436
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵PID:820
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:2396
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:5100
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:2288
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f3⤵PID:4496
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:4036
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:404
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:4104
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:368
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f3⤵PID:4912
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f3⤵PID:3944
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:3676
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f3⤵PID:2732
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:1572
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f3⤵PID:4408
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f3⤵PID:3600
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f3⤵PID:4196
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f3⤵PID:448
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f3⤵PID:3288
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD5406afe5c97eebaea133bdc5d9daff887
SHA1aaf7ef4e090c23a0ea516e4a9a78491a55001d24
SHA25696aa8694fa31eb10195e148c3eb9dc15fb6247a7174cfc0b3794c805fbd5de14
SHA5127d7a8beb15493fc9443bfb08bb9fd25715f51deb5b3bf2e0ea22b2ae354db1959836cafcb888b59773a3a720593fca606f06176e8dcbbf0c79182a37ed30c08d