agenttesla | 1f668db513b0912b2f59f9e000460d96ee8372c336c3ebcab44c3fc54e0c4ea3

General

Target

Zwle_Free_Perm.exe
Size

4.5MB
MD5

ac1db637a41939cc8660b1de00d6b3fd
SHA1

f18e9eec24e6892201e47ddba5101b6d1625cecf
SHA256

1f668db513b0912b2f59f9e000460d96ee8372c336c3ebcab44c3fc54e0c4ea3
SHA512

de7a45ca92d8a031be9464daae4da1ad4b019e5aaa6dc945c867d7cc5ba6a9aee8289f23df182a52938f759879d44a6cb138e7b80dbeafcec7ebc2ff83142272
SSDEEP

98304:Gl/CRHCmGLU4YXtPvAta7lqMZ9aEJlTGn95uzIIo7iYfZNvn9OB:qKRCe4YXtnAtaRhNTkeo7Ht

Score

10^/10

agenttesla evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3908-12-0x0000000010000000-0x0000000010214000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zwle_Free_Perm.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Zwle_Free_Perm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Zwle_Free_Perm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zwle_Free_Perm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zwle_Free_Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zwle_Free_Perm.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3908-6-0x0000000000400000-0x0000000001062000-memory.dmp	themida
behavioral1/memory/3908-7-0x0000000000400000-0x0000000001062000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Zwle_Free_Perm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zwle_Free_Perm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zwle_Free_Perm.exe

Drops file in System32 directory 9 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Zwle_Free_Perm.exe

pid process

3908 Zwle_Free_Perm.exe

pid	process
3908	Zwle_Free_Perm.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\mdmjf56e.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmotou.inf	cmd.exe
File opened for modification	C:\Windows\INF\scunknown.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdcm5.inf	cmd.exe
File opened for modification	C:\Windows\INF\cdrom.inf	cmd.exe
File opened for modification	C:\Windows\INF\fusionv2.inf	cmd.exe
File opened for modification	C:\Windows\INF\tpm.inf	cmd.exe
File opened for modification	C:\Windows\INF\sdbus.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidspi_km.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmcom.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmsun1.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidir.inf	cmd.exe
File opened for modification	C:\Windows\INF\kdnic.inf	cmd.exe
File opened for modification	C:\Windows\INF\mchgr.inf	cmd.exe
File opened for modification	C:\Windows\INF\dc1-controller.inf	cmd.exe
File opened for modification	C:\Windows\INF\mrvlpcie8897.inf	cmd.exe
File opened for modification	C:\Windows\INF\audioendpoint.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_a2dp.inf	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0000\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\rtux64w10.inf	cmd.exe
File opened for modification	C:\Windows\INF\vca.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSvcHost 4.0.0.0\0000\_SMSvcHostPerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSvcHost 4.0.0.0\_SMSvcHostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbport.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_primitive.inf	cmd.exe
File opened for modification	C:\Windows\INF\eaphost.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidserv.inf	cmd.exe
File opened for modification	C:\Windows\INF\mssmbios.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcxpv6.inf	cmd.exe
File opened for modification	C:\Windows\INF\wfcvsc.inf	cmd.exe
File opened for modification	C:\Windows\INF\netimm.inf	cmd.exe
File opened for modification	C:\Windows\INF\netwbw02.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmisdn.inf	cmd.exe
File opened for modification	C:\Windows\INF\nete1e3e.inf	cmd.exe
File opened for modification	C:\Windows\INF\ramdisk.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_pcmcia.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmega.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl002.inf	cmd.exe
File opened for modification	C:\Windows\INF\net7400-x64-n650.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\gthrctr.h	cmd.exe
File opened for modification	C:\Windows\INF\mdmcdp.inf	cmd.exe
File opened for modification	C:\Windows\INF\termkbd.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\idxcntrs.h	cmd.exe
File opened for modification	C:\Windows\ServiceState\EventLog\Data\LASTAL~1.DAT	cmd.exe
File opened for modification	C:\Windows\INF\dwup.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for SqlServer\_dataperfcounters_shared12_neutral.h	cmd.exe
File opened for modification	C:\Windows\INF\netr7364.inf	cmd.exe
File opened for modification	C:\Windows\INF\sti.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking\_NetworkingPerfCounters_v2.h	cmd.exe
File opened for modification	C:\Windows\INF\c_diskdrive.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\PerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\_DataPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\defltrdsh.inf	cmd.exe
File opened for modification	C:\Windows\INF\volsnap.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_extension.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_battery.inf	cmd.exe
File opened for modification	C:\Windows\INF\halextintclpiodma.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_keyboard.inf	cmd.exe
File opened for modification	C:\Windows\INF\ialpssi_i2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_sbp2.inf	cmd.exe
File opened for modification	C:\Windows\INF\ehstorpwddrv.inf	cmd.exe
File opened for modification	C:\Windows\INF\mbtr8897w81x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGatherer\gsrvctr.h	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zwle_Free_Perm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Zwle_Free_Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Zwle_Free_Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Zwle_Free_Perm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Zwle_Free_Perm.exe

pid process

3908 Zwle_Free_Perm.exe
3908 Zwle_Free_Perm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Zwle_Free_Perm.exe

description pid process

Token: SeDebugPrivilege 3908 Zwle_Free_Perm.exe

pid	process
3908	Zwle_Free_Perm.exe
3908	Zwle_Free_Perm.exe

description	pid	process
Token: SeDebugPrivilege	3908	Zwle_Free_Perm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zwle_Free_Perm.execmd.exe

description	pid	process	target process
PID 3908 wrote to memory of 4128	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 4128	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 4128	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 3324	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 3324	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 3324	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 4932	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 4932	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3908 wrote to memory of 4932	3908	Zwle_Free_Perm.exe	cmd.exe
PID 3324 wrote to memory of 4672	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4672	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4672	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4348	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4348	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4348	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3760	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3760	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3760	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4940	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4940	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4940	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3820	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3820	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3820	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 424	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3932	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3932	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3932	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3012	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3012	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3012	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3584	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3584	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3584	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2472	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2472	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2472	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1336	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1336	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1336	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4504	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1344	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1344	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1344	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2500	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2500	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2500	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3888	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3888	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3888	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2196	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2196	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2196	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2360	3324	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Zwle_Free_Perm.exe
"C:\Users\Admin\AppData\Local\Temp\Zwle_Free_Perm.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\deepclean1a.bat" "
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4128

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
3⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
3⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
3⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
3⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin" /f
3⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin2" /f
3⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
3⤵
PID:772

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
3⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
3⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
3⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
3⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
3⤵
PID:248

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
3⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
3⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
3⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
3⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
3⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
3⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
3⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
3⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
3⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
3⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
3⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
3⤵
PID:676

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
3⤵
PID:252

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
3⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:224

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:404

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
3⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
3⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
3⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
3⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
3⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
3⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
3⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
3⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
3⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
3⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
3⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
3⤵
PID:416

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
3⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
3⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
3⤵
PID:244

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
3⤵
PID:400

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
3⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
3⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
3⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
3⤵
PID:124

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
3⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
3⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
3⤵
PID:256

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
3⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
3⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
3⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
3⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
3⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
3⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
3⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
3⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
3⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
3⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
3⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
3⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
3⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
3⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
3⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
3⤵
PID:908

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
3⤵
PID:416

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
3⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
3⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
3⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
3⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
3⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
3⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\deepclean1b.bat" "
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
3⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
3⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
3⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
3⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
3⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin" /f
3⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin2" /f
3⤵
PID:424

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
3⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
3⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
3⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
3⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
3⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
3⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
3⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
3⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
3⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
3⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
3⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
3⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
3⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
3⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
3⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
3⤵
PID:472

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
3⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
3⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
3⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
3⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
3⤵
PID:124

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
3⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
3⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
3⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
3⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
3⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
3⤵
PID:256

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
3⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
3⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
3⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
3⤵
PID:568

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
3⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
3⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
3⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
3⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
3⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
3⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
3⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
3⤵
PID:364

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
3⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
3⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
3⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
3⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
3⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
3⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
3⤵
PID:464

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
3⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
3⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
3⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
3⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
3⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
3⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:340

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
3⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
3⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
3⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
3⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
3⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
3⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
3⤵
PID:492

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
3⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
3⤵
PID:344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
3⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
3⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
3⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
3⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
3⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
3⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
3⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
3⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
3⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
3⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
3⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
3⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
3⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
3⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
3⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
3⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
3⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
3⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
3⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
3⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
3⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
3⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
3⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
3⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
3⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
3⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
3⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
3⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
3⤵
PID:908

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
3⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
3⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
3⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
3⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
3⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
3⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
3⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
3⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
3⤵
PID:344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
3⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
3⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
3⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
3⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
3⤵
PID:676

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
3⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
3⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
3⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
3⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
3⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
3⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
3⤵
PID:364

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
3⤵
PID:404

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
3⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
3⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
3⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
3⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
3⤵
PID:804

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
3⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
3⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
3⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
3⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
3⤵
PID:340

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
3⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
3⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
3⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
3⤵
PID:900

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
3⤵
PID:788

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
3⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
3⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
3⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
3⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:904

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:248

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\deepclean1c.bat" "
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4932

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
3⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
3⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
3⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
3⤵
PID:412

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
3⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin" /f
3⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin2" /f
3⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
3⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
3⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
3⤵
PID:240

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
3⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
3⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
3⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
3⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
3⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
3⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
3⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
3⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
3⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
3⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
3⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
3⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
3⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
3⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
3⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
3⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
3⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
3⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
3⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
3⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
3⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
3⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
3⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
3⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
3⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
3⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
3⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
3⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
3⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
3⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
3⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
3⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
3⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
3⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
3⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
3⤵
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\deepclean1a.bat
Filesize
579KB

MD5
5512c5dce702c3564581f40032ef877c

SHA1
3c3b98500b82df4ebfb80bfd20c7399ef029f2d5

SHA256
9fa1a9cb82e9731cba045d93ce8720a78eac7e48e0c88c1a76f46e3536a2341e

SHA512
9541dec6b3fe149c24065d481e21f3943d94646b6b7ccff31643a70a1e2c6f89272a5047e63d49dfac9e07aba9dd5b4215544a6a04b1fbfdd197db7017f6cbe8

Download Submit
memory/3908-9-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/3908-6-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/3908-10-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/3908-4-0x0000000077966000-0x0000000077968000-memory.dmp

Filesize
8KB

Download
memory/3908-12-0x0000000010000000-0x0000000010214000-memory.dmp

Filesize
2.1MB

Download
memory/3908-7-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/3908-8-0x00000000057D0000-0x0000000005D76000-memory.dmp

Filesize
5.6MB

Download
memory/3908-13-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download
memory/3908-3-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-2-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-0-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/3908-15-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/3908-19-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-20-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-1-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-35-0x0000000075730000-0x0000000075820000-memory.dmp

Filesize
960KB

Download
memory/3908-36-0x0000000005F70000-0x0000000005F80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads