Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
5temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...ht.bat
windows7-x64
8temp/temp/...ht.bat
windows10-2004-x64
8temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...gs.vbs
windows7-x64
1temp/temp/...gs.vbs
windows10-2004-x64
1temp/temp/...ol.exe
windows7-x64
10temp/temp/...ol.exe
windows10-2004-x64
5temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...mp.exe
windows7-x64
10temp/temp/...mp.exe
windows10-2004-x64
10Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 15:13
Behavioral task
behavioral1
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
-
Size
1.5MB
-
MD5
2429db21a224c48fa6b17e55a6762328
-
SHA1
f86eb0c2de25e8970add83b66253d3f18b0994e1
-
SHA256
365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778
-
SHA512
0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23
-
SSDEEP
49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b
Malware Config
Signatures
-
Kills process with taskkill 11 IoCs
pid Process 1776 taskkill.exe 1524 taskkill.exe 2492 taskkill.exe 1304 taskkill.exe 2184 taskkill.exe 2768 taskkill.exe 2140 taskkill.exe 1952 taskkill.exe 2812 taskkill.exe 3032 taskkill.exe 2736 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 2812 taskkill.exe Token: SeDebugPrivilege 3032 taskkill.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1524 2520 cmd.exe 31 PID 2520 wrote to memory of 1524 2520 cmd.exe 31 PID 2520 wrote to memory of 1524 2520 cmd.exe 31 PID 2520 wrote to memory of 1952 2520 cmd.exe 33 PID 2520 wrote to memory of 1952 2520 cmd.exe 33 PID 2520 wrote to memory of 1952 2520 cmd.exe 33 PID 2520 wrote to memory of 2492 2520 cmd.exe 34 PID 2520 wrote to memory of 2492 2520 cmd.exe 34 PID 2520 wrote to memory of 2492 2520 cmd.exe 34 PID 2520 wrote to memory of 1304 2520 cmd.exe 35 PID 2520 wrote to memory of 1304 2520 cmd.exe 35 PID 2520 wrote to memory of 1304 2520 cmd.exe 35 PID 2520 wrote to memory of 2812 2520 cmd.exe 36 PID 2520 wrote to memory of 2812 2520 cmd.exe 36 PID 2520 wrote to memory of 2812 2520 cmd.exe 36 PID 2520 wrote to memory of 3032 2520 cmd.exe 37 PID 2520 wrote to memory of 3032 2520 cmd.exe 37 PID 2520 wrote to memory of 3032 2520 cmd.exe 37 PID 2520 wrote to memory of 2736 2520 cmd.exe 38 PID 2520 wrote to memory of 2736 2520 cmd.exe 38 PID 2520 wrote to memory of 2736 2520 cmd.exe 38 PID 2520 wrote to memory of 2768 2520 cmd.exe 39 PID 2520 wrote to memory of 2768 2520 cmd.exe 39 PID 2520 wrote to memory of 2768 2520 cmd.exe 39 PID 2520 wrote to memory of 2184 2520 cmd.exe 40 PID 2520 wrote to memory of 2184 2520 cmd.exe 40 PID 2520 wrote to memory of 2184 2520 cmd.exe 40 PID 2520 wrote to memory of 1776 2520 cmd.exe 41 PID 2520 wrote to memory of 1776 2520 cmd.exe 41 PID 2520 wrote to memory of 1776 2520 cmd.exe 41 PID 2520 wrote to memory of 2140 2520 cmd.exe 42 PID 2520 wrote to memory of 2140 2520 cmd.exe 42 PID 2520 wrote to memory of 2140 2520 cmd.exe 42 PID 2520 wrote to memory of 2600 2520 cmd.exe 43 PID 2520 wrote to memory of 2600 2520 cmd.exe 43 PID 2520 wrote to memory of 2600 2520 cmd.exe 43 PID 2600 wrote to memory of 2620 2600 cmd.exe 44 PID 2600 wrote to memory of 2620 2600 cmd.exe 44 PID 2600 wrote to memory of 2620 2600 cmd.exe 44
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\FortniteCleaner.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\FortniteCleaner.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\findstr.exefindstr /b ::: "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\FortniteCleaner.bat"3⤵PID:2620
-
-