f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
55s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner5.bat
Size

867KB
MD5

8ce83844fd35131310f9bd0d5e6ff7c7
SHA1

c2c164594d00ce9d5ea1758f80a13686ee44b06c
SHA256

95c12291d36d894bdf2c62aca840822226871ee2ed4f1653bf22fd96d183b6c5
SHA512

1e18a4c8389000dc2f171d331de374a39911c2c51c4ab8e4cca9d425884ef2d0a3c38794fb15926836537a19c6d68d72718a45b38687f0579eff035b4a766a04
SSDEEP

3072:UYScHNYScTzg8gvRnvpWyhytyhy6LfgCWcUWgM+4oH9q4gH9/142:TEwE6l142

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\lsi_sas2i.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmarn.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\0411\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\wvmgid.inf	cmd.exe
File opened for modification	C:\Windows\INF\input.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmaiwa.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmcom.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_wpd.inf	cmd.exe
File opened for modification	C:\Windows\INF\UsbccidDriver.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmatm2k.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmtdkj5.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdvgwddmdx11.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0000\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\0C0A\_DataPerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl004.inf	cmd.exe
File opened for modification	C:\Windows\INF\ndisvirtualbus.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrtwlans.inf	cmd.exe
File opened for modification	C:\Windows\INF\rtux64w10.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsreplication.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_securitydevices.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidi2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGatherer\0407\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\0407\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\040C\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\BthLCPen.inf	cmd.exe
File opened for modification	C:\Windows\INF\hpsamd.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmboca.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmsii64.inf	cmd.exe
File opened for modification	C:\Windows\INF\megasas35i.inf	cmd.exe
File opened for modification	C:\Windows\INF\prnms004.inf	cmd.exe
File opened for modification	C:\Windows\INF\uiccspb.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NETFramework\040C\corperfmonsymbols_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\net8187bv64.inf	cmd.exe
File opened for modification	C:\Windows\INF\netlldp.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsactivitymonitor.inf	cmd.exe
File opened for modification	C:\Windows\INF\machine.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmusrk1.inf	cmd.exe
File opened for modification	C:\Windows\INF\npsvctrig.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdlsbuscbs.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\040C\_TransactionBridgePerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\wdmaudio.inf	cmd.exe
File opened for modification	C:\Windows\INF\amdsbs.inf	cmd.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_GLK.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl006.inf	cmd.exe
File opened for modification	C:\Windows\INF\ntprint.inf	cmd.exe
File opened for modification	C:\Windows\INF\ialpssi_i2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\tsgenericusbdriver.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0000\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmgcs.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\0C0A\_DataOracleClientPerfCounters_shared12_neutral_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\_TransactionBridgePerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmdf56f.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidspi_km.inf	cmd.exe
File opened for modification	C:\Windows\INF\netmlx4eth63.inf	cmd.exe
File opened for modification	C:\Windows\INF\netr28x.inf	cmd.exe
File opened for modification	C:\Windows\INF\urschipidea.inf	cmd.exe
File opened for modification	C:\Windows\INF\sisraid4.inf	cmd.exe
File opened for modification	C:\Windows\INF\dwup.inf	cmd.exe
File opened for modification	C:\Windows\INF\ksfilter.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmar1.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdp2.inf	cmd.exe
File opened for modification	C:\Windows\INF\mvumis.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\0410\_DataPerfCounters_d.ini	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2584 ipconfig.exe

pid	process
2584	ipconfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3756 wrote to memory of 4944	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 4944	3756	cmd.exe	cacls.exe
PID 3756 wrote to memory of 4484	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4484	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2000	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2000	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 412	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 412	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3364	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3364	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3356	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3356	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2368	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2368	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4700	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4700	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1992	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1992	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3956	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3956	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2772	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2772	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4228	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4228	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3544	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3544	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3716	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3716	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4404	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4404	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2980	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2980	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 5056	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 5056	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1388	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1388	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4084	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4084	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4644	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4644	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 636	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 636	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 768	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 768	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1888	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1888	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1176	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 1176	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4496	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4496	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3220	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 3220	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4940	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4940	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2292	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2292	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4036	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4036	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4312	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4312	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4668	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4668	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4008	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 4008	3756	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner5.bat"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:4944

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
2⤵
PID:4484

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
2⤵
PID:412

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
2⤵
PID:3364

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
2⤵
PID:3356

C:\Windows\system32\reg.exe
REG DELETE "HKCR\origin" /f
2⤵
PID:2368

C:\Windows\system32\reg.exe
REG DELETE "HKCR\origin2" /f
2⤵
PID:4700

C:\Windows\system32\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
2⤵
PID:3956

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
2⤵
PID:2772

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
2⤵
PID:4228

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
2⤵
PID:3544

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
2⤵
PID:3716

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
2⤵
PID:4404

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
2⤵
PID:2980

C:\Windows\system32\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
2⤵
PID:1388

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
2⤵
PID:4084

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
2⤵
PID:4644

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
2⤵
PID:636

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
2⤵
PID:768

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
2⤵
PID:1888

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
2⤵
PID:1176

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
2⤵
PID:4496

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
2⤵
PID:3220

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
2⤵
PID:4940

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
2⤵
PID:4036

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
2⤵
PID:4312

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
2⤵
PID:4668

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
2⤵
PID:4008

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
2⤵
PID:2020

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
2⤵
PID:4512

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
2⤵
PID:3152

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
2⤵
PID:2572

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
2⤵
PID:5096

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
2⤵
PID:5100

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
2⤵
PID:456

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
2⤵
PID:3248

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
2⤵
PID:1580

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
2⤵
PID:4364

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
2⤵
PID:1372

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
2⤵
PID:1404

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
2⤵
PID:2056

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
2⤵
PID:784

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
2⤵
PID:4684

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
2⤵
PID:3760

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
2⤵
PID:2420

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
2⤵
PID:3120

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
2⤵
PID:4120

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
2⤵
PID:5072

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
2⤵
PID:212

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
2⤵
PID:740

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
2⤵
PID:2244

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
2⤵
PID:1584

C:\Windows\system32\reg.exe
REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
2⤵
PID:3048

C:\Windows\system32\reg.exe
REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
2⤵
- Checks processor information in registry
PID:1244

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
2⤵
PID:744

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
2⤵
PID:3736

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
2⤵
PID:4792

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
2⤵
PID:2672

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
2⤵
PID:2500

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
2⤵
PID:4524

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
2⤵
PID:3276

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
2⤵
PID:1736

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
2⤵
PID:2676

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
2⤵
PID:2956

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
2⤵
PID:2376

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
2⤵
PID:5024

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
2⤵
PID:1848

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
2⤵
PID:4780

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
2⤵
PID:3924

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
2⤵
PID:4032

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
2⤵
PID:4452

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
2⤵
PID:4472

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
2⤵
PID:3408

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
2⤵
PID:3044

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
2⤵
PID:4408

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
2⤵
PID:4488

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
2⤵
PID:2620

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
2⤵
PID:4984

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
2⤵
PID:1772

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
2⤵
PID:2192

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
2⤵
PID:2232

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
2⤵
PID:2212

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
2⤵
PID:2184

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
2⤵
PID:3076

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
2⤵
PID:3496

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
2⤵
PID:2940

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
2⤵
PID:2668

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
2⤵
PID:2968

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
2⤵
PID:4620

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
2⤵
PID:2784

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
2⤵
PID:412

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
2⤵
PID:3364

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
2⤵
PID:3356

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
2⤵
PID:2368

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
2⤵
PID:4700

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
2⤵
PID:3956

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
2⤵
PID:2772

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
2⤵
PID:4228

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
2⤵
PID:3544

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
2⤵
PID:3716

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
2⤵
PID:4404

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
2⤵
PID:2980

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
2⤵
PID:1388

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
2⤵
PID:4084

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
2⤵
PID:4644

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
2⤵
PID:636

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
2⤵
PID:768

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
2⤵
PID:1888

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
2⤵
PID:1176

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
2⤵
PID:4496

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
2⤵
PID:2580

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
2⤵
PID:4968

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
2⤵
PID:3596

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
2⤵
PID:3888

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
2⤵
PID:3052

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
2⤵
PID:4116

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
2⤵
PID:4628

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
2⤵
PID:2100

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
2⤵
PID:116

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
2⤵
PID:4136

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
2⤵
PID:3104

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
2⤵
PID:2732

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
2⤵
PID:3208

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
2⤵
PID:2348

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
2⤵
PID:4000

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
2⤵
PID:1308

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
2⤵
PID:1520

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
2⤵
PID:4912

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
2⤵
PID:4664

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
2⤵
PID:3132

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
2⤵
PID:3560

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
2⤵
PID:2468

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
2⤵
PID:3092

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
2⤵
PID:1708

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
2⤵
PID:4120

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
2⤵
PID:5072

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
2⤵
PID:4540

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
2⤵
PID:5104

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
2⤵
PID:1652

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
2⤵
PID:2428

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
2⤵
PID:3212

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
2⤵
PID:1244

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
2⤵
PID:3684

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
2⤵
PID:3828

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
2⤵
PID:4424

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
2⤵
PID:3536

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
2⤵
PID:1120

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
2⤵
PID:4752

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
2⤵
PID:2876

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
2⤵
PID:3368

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
2⤵
PID:5032

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
2⤵
PID:3376

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
2⤵
PID:3892

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
2⤵
PID:1000

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
2⤵
PID:1484

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
2⤵
PID:3880

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
2⤵
PID:4428

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
2⤵
PID:1492

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
2⤵
PID:2220

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
2⤵
PID:4552

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
2⤵
PID:4184

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
2⤵
PID:808

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
2⤵
PID:4528

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
2⤵
PID:4904

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
2⤵
PID:1988

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
2⤵
PID:4932

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
2⤵
PID:4980

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
2⤵
PID:2204

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
2⤵
PID:5068

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
2⤵
PID:748

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
2⤵
PID:2132

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
2⤵
PID:2848

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
2⤵
PID:4020

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
2⤵
PID:2052

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
2⤵
PID:1676

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
2⤵
PID:4176

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
2⤵
PID:2448

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
2⤵
PID:2260

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
2⤵
PID:4368

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
2⤵
PID:3372

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
2⤵
PID:2240

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
2⤵
PID:4992

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
2⤵
PID:1964

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
2⤵
PID:2060

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
2⤵
PID:4696

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
2⤵
PID:2480

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
2⤵
PID:4660

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
2⤵
PID:4964

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
2⤵
PID:1280

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
2⤵
PID:5076

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
2⤵
PID:4056

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
2⤵
PID:3064

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
2⤵
PID:4908

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
2⤵
PID:2136

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
2⤵
PID:4584

C:\Windows\system32\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
2⤵
PID:1828

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
2⤵
PID:3428

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
2⤵
PID:836

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
2⤵
PID:5060

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
2⤵
PID:2576

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
2⤵
PID:4036

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
2⤵
PID:5028

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
2⤵
PID:2924

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
2⤵
PID:3660

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
2⤵
PID:1324

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
2⤵
PID:264

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
2⤵
PID:244

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
2⤵
PID:220

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
2⤵
PID:3056

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
2⤵
PID:1312

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
2⤵
PID:3240

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
2⤵
PID:2752

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
2⤵
PID:4976

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
2⤵
PID:4708

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
2⤵
PID:4132

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
2⤵
PID:1872

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
2⤵
PID:3776

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
2⤵
PID:4444

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
2⤵
PID:1200

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
2⤵
PID:3624

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
2⤵
PID:4260

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
2⤵
PID:2460

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
2⤵
PID:1264

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
2⤵
PID:5072

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
2⤵
PID:4540

C:\Windows\system32\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
2⤵
PID:5104

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
2⤵
PID:4160

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:2584

C:\Windows\system32\netsh.exe
netsh interface ip delete arpcache
2⤵
PID:4068

C:\Windows\system32\certutil.exe
certutil -URLCache * delete
2⤵
PID:2684

C:\Windows\system32\netsh.exe
netsh int ip reset
2⤵
PID:1120

C:\Windows\system32\netsh.exe
netsh int ipv4 reset
2⤵
PID:4156

C:\Windows\system32\netsh.exe
netsh int ipv6 reset
2⤵
PID:208

C:\Windows\system32\netsh.exe
netsh winsock reset
2⤵
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads