a7fcfd8a328e4d6dd0b13b1618941e7c2c26d474f597c4b818aa10ca0a5f16c8

Analysis

max time kernel
33s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2022, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archine_loader.exe
Size

43KB
MD5

cb2bca34abf3c9499a6e80b255875f51
SHA1

c893a1bde394f07fd2dbffc0f44d7b4ed676afec
SHA256

a7fcfd8a328e4d6dd0b13b1618941e7c2c26d474f597c4b818aa10ca0a5f16c8
SHA512

a8d44b31e8192746fe0ef0d9a30f3f69d5712125694a098d3a1a7c4a0e2c1405c0ec5ad08c573485804eaf1c6e741cf8eb19f6158b5181a1d8957a29d21d10b9
SSDEEP

768:707D8DgLFHukDBTbsomIXOFbxEnIuLM7xrbXc5tuTpqKYhJ:w7D8DgBtDlbsomIXOPEpYV1TpqKmJ

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
212	sc.exe
3996	sc.exe
3328	sc.exe
4848	sc.exe
1116	sc.exe
1404	sc.exe
5112	sc.exe
548	sc.exe
4048	sc.exe
996	sc.exe
2556	sc.exe
4812	sc.exe
4804	sc.exe
3172	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
908	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	Archine_loader.exe
Token: SeDebugPrivilege	908	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3876	4328	Archine_loader.exe	88
PID 4328 wrote to memory of 3876	4328	Archine_loader.exe	88
PID 4328 wrote to memory of 3876	4328	Archine_loader.exe	88
PID 3876 wrote to memory of 4320	3876	cmd.exe	90
PID 3876 wrote to memory of 4320	3876	cmd.exe	90
PID 3876 wrote to memory of 4320	3876	cmd.exe	90
PID 3876 wrote to memory of 4340	3876	cmd.exe	91
PID 3876 wrote to memory of 4340	3876	cmd.exe	91
PID 3876 wrote to memory of 4340	3876	cmd.exe	91
PID 3876 wrote to memory of 3172	3876	cmd.exe	92
PID 3876 wrote to memory of 3172	3876	cmd.exe	92
PID 3876 wrote to memory of 3172	3876	cmd.exe	92
PID 3876 wrote to memory of 212	3876	cmd.exe	93
PID 3876 wrote to memory of 212	3876	cmd.exe	93
PID 3876 wrote to memory of 212	3876	cmd.exe	93
PID 3876 wrote to memory of 4848	3876	cmd.exe	94
PID 3876 wrote to memory of 4848	3876	cmd.exe	94
PID 3876 wrote to memory of 4848	3876	cmd.exe	94
PID 3876 wrote to memory of 1116	3876	cmd.exe	95
PID 3876 wrote to memory of 1116	3876	cmd.exe	95
PID 3876 wrote to memory of 1116	3876	cmd.exe	95
PID 3876 wrote to memory of 4812	3876	cmd.exe	96
PID 3876 wrote to memory of 4812	3876	cmd.exe	96
PID 3876 wrote to memory of 4812	3876	cmd.exe	96
PID 3876 wrote to memory of 4804	3876	cmd.exe	97
PID 3876 wrote to memory of 4804	3876	cmd.exe	97
PID 3876 wrote to memory of 4804	3876	cmd.exe	97
PID 3876 wrote to memory of 1404	3876	cmd.exe	98
PID 3876 wrote to memory of 1404	3876	cmd.exe	98
PID 3876 wrote to memory of 1404	3876	cmd.exe	98
PID 3876 wrote to memory of 5112	3876	cmd.exe	99
PID 3876 wrote to memory of 5112	3876	cmd.exe	99
PID 3876 wrote to memory of 5112	3876	cmd.exe	99
PID 3876 wrote to memory of 548	3876	cmd.exe	100
PID 3876 wrote to memory of 548	3876	cmd.exe	100
PID 3876 wrote to memory of 548	3876	cmd.exe	100
PID 3876 wrote to memory of 908	3876	cmd.exe	101
PID 3876 wrote to memory of 908	3876	cmd.exe	101
PID 3876 wrote to memory of 908	3876	cmd.exe	101
PID 3876 wrote to memory of 4048	3876	cmd.exe	102
PID 3876 wrote to memory of 4048	3876	cmd.exe	102
PID 3876 wrote to memory of 4048	3876	cmd.exe	102
PID 3876 wrote to memory of 3996	3876	cmd.exe	103
PID 3876 wrote to memory of 3996	3876	cmd.exe	103
PID 3876 wrote to memory of 3996	3876	cmd.exe	103
PID 3876 wrote to memory of 824	3876	cmd.exe	104
PID 3876 wrote to memory of 824	3876	cmd.exe	104
PID 3876 wrote to memory of 824	3876	cmd.exe	104
PID 824 wrote to memory of 4488	824	net.exe	105
PID 824 wrote to memory of 4488	824	net.exe	105
PID 824 wrote to memory of 4488	824	net.exe	105
PID 3876 wrote to memory of 996	3876	cmd.exe	106
PID 3876 wrote to memory of 996	3876	cmd.exe	106
PID 3876 wrote to memory of 996	3876	cmd.exe	106
PID 3876 wrote to memory of 4484	3876	cmd.exe	107
PID 3876 wrote to memory of 4484	3876	cmd.exe	107
PID 3876 wrote to memory of 4484	3876	cmd.exe	107
PID 4484 wrote to memory of 3728	4484	net.exe	108
PID 4484 wrote to memory of 3728	4484	net.exe	108
PID 4484 wrote to memory of 3728	4484	net.exe	108
PID 3876 wrote to memory of 3328	3876	cmd.exe	109
PID 3876 wrote to memory of 3328	3876	cmd.exe	109
PID 3876 wrote to memory of 3328	3876	cmd.exe	109
PID 3876 wrote to memory of 4520	3876	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Archine_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Archine_loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\antiOS\hykgte.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\sc.exe
    sc stop cpuz150
    3⤵
    - Launches sc.exe
    PID:3172
- - C:\Windows\SysWOW64\sc.exe
    sc stop vgt
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\SysWOW64\sc.exe
    sc stop vgrl
    3⤵
    - Launches sc.exe
    PID:4848
- - C:\Windows\SysWOW64\sc.exe
    sc stop vgk
    3⤵
    - Launches sc.exe
    PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc stop vgc
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\SysWOW64\sc.exe
    sc delete vgrl
    3⤵
    - Launches sc.exe
    PID:4804
- - C:\Windows\SysWOW64\sc.exe
    sc delete vgk
    3⤵
    - Launches sc.exe
    PID:1404
- - C:\Windows\SysWOW64\sc.exe
    sc delete vgc
    3⤵
    - Launches sc.exe
    PID:5112
- - C:\Windows\SysWOW64\sc.exe
    sc delete vg
    3⤵
    - Launches sc.exe
    PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\sc.exe
    sc delete cpuz150
    3⤵
    - Launches sc.exe
    PID:4048
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:3996
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\sc.exe
    sc config bits start= disabled
    3⤵
    - Launches sc.exe
    PID:996
- - C:\Windows\SysWOW64\net.exe
    net stop bits
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bits
      4⤵
      PID:3728
- - C:\Windows\SysWOW64\sc.exe
    sc config dosvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3328
- - C:\Windows\SysWOW64\net.exe
    net stop dosvc
    3⤵
    PID:4520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop dosvc
      4⤵
      PID:4852
- - C:\Windows\SysWOW64\sc.exe
    sc config UsoSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2556
- - C:\Windows\SysWOW64\net.exe
    net stop UsoSvc
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop UsoSvc
      4⤵
      PID:3192
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
    3⤵
    PID:732
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\riotclient" /f
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    - Checks processor information in registry
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:620
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:696
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:372
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:176
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:960
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\antiOS\hykgte.bat

Filesize
355KB

MD5
acb7a121bff5c8ba0f4151af884e19e6

SHA1
5cb7db45cce94371acdccef2d02f0fcc8a57f17f

SHA256
57615cbdb53c0951a4c0557d32023a930edc840dd2e4530a13e0320f21aff43e

SHA512
e934aab54f4305e64210aaf23030f6e2127aae520be3d8d4f58277990a2098f3f6fdd59c749fe251e2b3736206ce725f6f9eff2cf3e0c245f27810453bf62402

Download Submit
memory/4328-134-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/4328-137-0x0000000005CB0000-0x0000000005CBA000-memory.dmp

Filesize
40KB

Download
memory/4328-136-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4328-135-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/4328-132-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/4328-133-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download