| File name: | Fortnite_cleaner.bat |
| Full analysis: | https://app.any.run/tasks/e3d3a2e9-ff27-4587-914e-4166b259640e |
| Verdict: | Malicious activity |
| Analysis date: | May 20, 2019, 20:10:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 04BC3C553A1672EBB4DF907A299E84B1 |
| SHA1: | ABF8F1214C731CBBABE0E55E76243B536BA0538E |
| SHA256: | B5B7B483AEA3247C41AB16E5D3F99B7C0FD1006FA837EAA8C67574A8D09BF62F |
| SSDEEP: | 768:PJ36Ff3p2AaJt5jaiUAwnQr0G1FPY6ExnkKfSCnej6GQNdI11C2zxYTvayvyIp2Y:e |
MALICIOUS
No malicious indicators.SUSPICIOUS
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 608)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
990
Monitored processes
958
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\1812\Terminator: "WerSvcKernelMsgDone"" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 120 | reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\f35b8afb-0c28-4f87-b4c5-6a3f1ca60784\Description: (NULL!)" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 180 | reg delete "HKU\S-1-5-21-2178731390-2042553571-3950859006-1001\Software\Classes\Local Settings\MuiCache\92\52C64B7E\@C:\Windows\System32\irprops.cpl,-2: "Configure infrared file transfer, image transfer, and hardware settings."" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 180 | reg delete "HKLM\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\f35b8afb-0c28-4f87-b4c5-6a3f1ca60784\4f971e89-eebd-4455-a8de-9e59040e7347\5ca83367-6e45-459f-a27b-476b1d01c936" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
| 252 | reg delete "HKU\S-1-5-21-2178731390-2042553571-3950859006-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybt: 01 00 00 00 00 00 00 00 23 00 00 00 2B 75 04 00 1E AA 85 3C 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BfuriosdestructÄ┘Ä%c3nh:~41,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestruct «╛╪%gj9i:~8,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestruct╝«ê╣%gj9i:~37,1%furiosdestructÄ┘Ä%c3nh:~41,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestruct «╛╪%gj9i:~8,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestruct╝«ê╣%gj9i:~37,1%furiosdestructÄ┘Ä%c3nh:~41,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestructèαñ┘%gj9i:~0,1%furiosdestructèαñ┘%gj9i:~0,1furiosdestruct┘ªα¬%gj9i:~15,1 | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 252 | reg delete "HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume{00a500a4-0000-0000-0000-602200000000}DeleteProcess (Enter): 48 00 00 00 00 00 00 00 90 EA DA 82 95 F1 D4 01 00 00 00 00 00 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 272 | reg delete "HKU\S-1-5-21-2178731390-2042553571-3950859006-1001\Software\Classes\Local Settings\MuiCache\92\52C64B7E\@C:\Windows\System32\tabletpc.cpl,-10103: "Pen and Touch"" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 272 | reg delete "HKLM\SYSTEM\ControlSet001\Control\Video\{9D728242-53F9-11E9-9344-AFD652AAF49B}\0002\ACPowerPolicyVersion: 0x00001202" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 276 | reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\808\CreationTime: E8 54 D7 AB 95 F1 D4 01" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 276 | reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{4d457018-ada3-431e-a080-317e29768715}\Properties\{f112024a-fe30-42a8-80ab-8dd825a06f78},2: 03 00 62 9E 01 00 00 00 90 00 00 00" /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
Total events
6
Read events
6
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report