bdaejec | 610a269c6e9c350c583ae4e2e23423c4c820b9437edc87183cc539bd2a69a46b

Analysis

max time kernel
428s
max time network
1155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Universe Spoofer v0.2 by ( nam-ra ).exe
Size

109.3MB
MD5

016332fe0c67956166ce823b627f4b05
SHA1

156dbadef322b8b0c03df029853a5074dd893a3c
SHA256

610a269c6e9c350c583ae4e2e23423c4c820b9437edc87183cc539bd2a69a46b
SHA512

1dcbabc4608c35479840463b8d003f263a559863104765702b30f47423c69337361d8d7ec6413c5bb88e3394774ab1f396c341a9fdce30e05b697ae108eba66f
SSDEEP

3145728:5U8GmC1pMf3HsBEE4j3oMboedZ/q0WgS0KS:jH2gXKEhj3oMbPxL1

Score

10^/10

bdaejec aspackv2 backdoor discovery evasion execution persistence privilege_escalation

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 6 IoCs

Bdaejec is backdoor written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2456-149-0x00000000005F0000-0x00000000005F9000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/4768-172-0x0000000000CD0000-0x0000000000CD9000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/1084-220-0x0000000000150000-0x0000000000159000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/2648-248-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/2992-286-0x0000000000180000-0x0000000000189000-memory.dmp	family_bdaejec_backdoor
behavioral1/memory/4768-287-0x0000000000CD0000-0x0000000000CD9000-memory.dmp	family_bdaejec_backdoor

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kdmapper.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DufvIxyVcWZODurqQzymJl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DufvIxyVcWZODurqQzymJl"	kdmapper.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023cb3-70.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Universe Spoofer v0.2 by ( nam-ra ).exeFullCleaner.exeEhgioN.exezHKUyP.exeHPSbqj.exeMObtpa.exevkUrmMpE.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Universe Spoofer v0.2 by ( nam-ra ).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FullCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EhgioN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zHKUyP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HPSbqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MObtpa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	vkUrmMpE.exe

Executes dropped EXE 14 IoCs

Processes:

h9awhd97ah.exekdmapper.exekdmapper.exelog1.exeEhgioN.exelog2.exezHKUyP.exeRemove Logs.exeHPSbqj.exeFullCleaner.exevkUrmMpE.exeNamRaCleaner.exeMObtpa.exeNAMRA - 22653-20240731.exe

pid	Process
1628	h9awhd97ah.exe
1276	kdmapper.exe
4112	kdmapper.exe
3204	log1.exe
2456	EhgioN.exe
4876	log2.exe
1084	zHKUyP.exe
4360	Remove Logs.exe
2648	HPSbqj.exe
2708	FullCleaner.exe
2992	vkUrmMpE.exe
2760	NamRaCleaner.exe
4768	MObtpa.exe
1916	NAMRA - 22653-20240731.exe

Loads dropped DLL 11 IoCs

Processes:

NAMRA - 22653-20240731.exe

pid	Process
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe
1916	NAMRA - 22653-20240731.exe

Drops file in System32 directory 3 IoCs

Processes:

cmd.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\LogFiles\WMI\LWTNET~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\MICROS~1.ETL	cmd.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\DIAGTR~1.005	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

EhgioN.exeHPSbqj.exeMObtpa.exezHKUyP.exevkUrmMpE.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	EhgioN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	MObtpa.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	MObtpa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	EhgioN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	HPSbqj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	HPSbqj.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	vkUrmMpE.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	zHKUyP.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	EhgioN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	zHKUyP.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	HPSbqj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	vkUrmMpE.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	EhgioN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	MObtpa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	EhgioN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	HPSbqj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	EhgioN.exe
File opened for modification	C:\Program Files (x86)\Universe\FullCleaner.exe	MObtpa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	MObtpa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	zHKUyP.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	MObtpa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	MObtpa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	MObtpa.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	zHKUyP.exe
File opened for modification	C:\Program Files (x86)\Universe\kdmapper.exe	EhgioN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	zHKUyP.exe
File opened for modification	C:\Program Files (x86)\Universe\FullCleaner.exe	zHKUyP.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	MObtpa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	EhgioN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	EhgioN.exe
File opened for modification	C:\Program Files (x86)\Universe\FullCleaner.exe	EhgioN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	HPSbqj.exe
File opened for modification	C:\Program Files (x86)\Universe\kdmapper.exe	HPSbqj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	vkUrmMpE.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	EhgioN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	zHKUyP.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	zHKUyP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	HPSbqj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	vkUrmMpE.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	MObtpa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	EhgioN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	MObtpa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	MObtpa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	vkUrmMpE.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\mdmcxpv6.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0C0A\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\net7400-x64-n650.inf	cmd.exe
File opened for modification	C:\Windows\INF\cdrom.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmmoto1.inf	cmd.exe
File opened for modification	C:\Windows\INF\msdv.inf	cmd.exe
File opened for modification	C:\Windows\INF\ws3cap.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidinterrupt.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdm5674a.inf	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\040C\PerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmisdn.inf	cmd.exe
File opened for modification	C:\Windows\INF\percsas2i.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsencryption.inf	cmd.exe
File opened for modification	C:\Windows\INF\LSM\0409\lagcounterdef.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmdsi.inf	cmd.exe
File opened for modification	C:\Windows\INF\smrvolume.inf	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\PerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\fusionv2.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmagm64.inf	cmd.exe
File opened for modification	C:\Windows\INF\netl160a.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_ports.inf	cmd.exe
File opened for modification	C:\Windows\INF\mshdc.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvmic_timesync.inf	cmd.exe
File opened for modification	C:\Windows\Logs\WAASME~1\WAASME~2.ETL	cmd.exe
File opened for modification	C:\Windows\INF\mdmzyxlg.inf	cmd.exe
File opened for modification	C:\Windows\INF\prnms010.inf	cmd.exe
File opened for modification	C:\Windows\INF\netwsw00.inf	cmd.exe
File opened for modification	C:\Windows\INF\pnpxinternetgatewaydevices.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_volume.inf	cmd.exe
File opened for modification	C:\Windows\INF\netip6.inf	cmd.exe
File opened for modification	C:\Windows\INF\netnvma.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\ReadyBoostPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\SmartSAMD.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdf56f.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrass.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdlsbuscbs.inf	cmd.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\0C0A\_DataOracleClientPerfCounters_shared12_neutral_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\netrtwlane01.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcodex.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmeric2.inf	cmd.exe
File opened for modification	C:\Windows\INF\tsprint.inf	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0C0A\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\iai2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmzyxel.inf	cmd.exe
File opened for modification	C:\Windows\INF\sisraid2.inf	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0410\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\audioendpoint.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmeric.inf	cmd.exe
File opened for modification	C:\Windows\INF\nvraid.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_image.inf	cmd.exe
File opened for modification	C:\Windows\INF\eaphost.inf	cmd.exe
File opened for modification	C:\Windows\INF\ndiscap.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fscopyprotection.inf	cmd.exe
File opened for modification	C:\Windows\INF\display.inf	cmd.exe
File opened for modification	C:\Windows\INF\fdc.inf	cmd.exe
File opened for modification	C:\Windows\INF\netax88179_178a.inf	cmd.exe
File opened for modification	C:\Windows\INF\netmscli.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbvideo.inf	cmd.exe
File opened for modification	C:\Windows\INF\mwlu97w8x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvwwanmp.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\rhproxy.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0411\gthrctr.ini	cmd.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
232	sc.exe
1216	sc.exe
4544	sc.exe
2692	sc.exe
5104	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4984	powershell.exe
3832	powershell.exe
3040	powershell.exe
5032	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NamRaCleaner.exeNAMRA - 22653-20240731.execmd.exelog1.exeEhgioN.exeHPSbqj.exeFullCleaner.exevkUrmMpE.execmd.exelog2.exeRemove Logs.execmd.exeh9awhd97ah.exezHKUyP.exeMObtpa.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NamRaCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAMRA - 22653-20240731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhgioN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HPSbqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkUrmMpE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remove Logs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h9awhd97ah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zHKUyP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MObtpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2700	PING.EXE
4084	PING.EXE
4360	PING.EXE
4952	PING.EXE
4956	PING.EXE
2116	PING.EXE
3092	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
4904	timeout.exe
1088	timeout.exe
4956	timeout.exe
4128	timeout.exe
4392	timeout.exe
1428	timeout.exe
2608	timeout.exe
3480	timeout.exe
1512	timeout.exe
3868	timeout.exe
3684	timeout.exe
4356	timeout.exe
4316	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
2716	ipconfig.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4952	PING.EXE
4956	PING.EXE
2116	PING.EXE
3092	PING.EXE
2700	PING.EXE
4084	PING.EXE
4360	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4984	powershell.exe
4984	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

kdmapper.exe

pid	Process
1276	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exekdmapper.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	1276	kdmapper.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

h9awhd97ah.exelog1.exeEhgioN.exelog2.exezHKUyP.exeRemove Logs.exeHPSbqj.exeFullCleaner.exevkUrmMpE.exeNamRaCleaner.exeMObtpa.exeNAMRA - 22653-20240731.exe

pid	Process
1628	h9awhd97ah.exe
3204	log1.exe
2456	EhgioN.exe
4876	log2.exe
1084	zHKUyP.exe
4360	Remove Logs.exe
2648	HPSbqj.exe
2708	FullCleaner.exe
2992	vkUrmMpE.exe
2760	NamRaCleaner.exe
4768	MObtpa.exe
1916	NAMRA - 22653-20240731.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Universe Spoofer v0.2 by ( nam-ra ).exeh9awhd97ah.execmd.execmd.exe

description	pid	Process	procid_target
PID 2632 wrote to memory of 1628	2632	Universe Spoofer v0.2 by ( nam-ra ).exe	82
PID 2632 wrote to memory of 1628	2632	Universe Spoofer v0.2 by ( nam-ra ).exe	82
PID 2632 wrote to memory of 1628	2632	Universe Spoofer v0.2 by ( nam-ra ).exe	82
PID 1628 wrote to memory of 4552	1628	h9awhd97ah.exe	85
PID 1628 wrote to memory of 4552	1628	h9awhd97ah.exe	85
PID 4552 wrote to memory of 2700	4552	cmd.exe	86
PID 4552 wrote to memory of 2700	4552	cmd.exe	86
PID 4552 wrote to memory of 232	4552	cmd.exe	88
PID 4552 wrote to memory of 232	4552	cmd.exe	88
PID 4552 wrote to memory of 1512	4552	cmd.exe	89
PID 4552 wrote to memory of 1512	4552	cmd.exe	89
PID 4552 wrote to memory of 4128	4552	cmd.exe	92
PID 4552 wrote to memory of 4128	4552	cmd.exe	92
PID 4552 wrote to memory of 4984	4552	cmd.exe	95
PID 4552 wrote to memory of 4984	4552	cmd.exe	95
PID 4552 wrote to memory of 3868	4552	cmd.exe	96
PID 4552 wrote to memory of 3868	4552	cmd.exe	96
PID 4552 wrote to memory of 4084	4552	cmd.exe	100
PID 4552 wrote to memory of 4084	4552	cmd.exe	100
PID 4552 wrote to memory of 1792	4552	cmd.exe	101
PID 4552 wrote to memory of 1792	4552	cmd.exe	101
PID 1792 wrote to memory of 1648	1792	cmd.exe	102
PID 1792 wrote to memory of 1648	1792	cmd.exe	102
PID 1792 wrote to memory of 4488	1792	cmd.exe	103
PID 1792 wrote to memory of 4488	1792	cmd.exe	103
PID 4552 wrote to memory of 4360	4552	cmd.exe	104
PID 4552 wrote to memory of 4360	4552	cmd.exe	104
PID 4552 wrote to memory of 3832	4552	cmd.exe	105
PID 4552 wrote to memory of 3832	4552	cmd.exe	105
PID 4552 wrote to memory of 1216	4552	cmd.exe	106
PID 4552 wrote to memory of 1216	4552	cmd.exe	106
PID 4552 wrote to memory of 4544	4552	cmd.exe	107
PID 4552 wrote to memory of 4544	4552	cmd.exe	107
PID 4552 wrote to memory of 404	4552	cmd.exe	108
PID 4552 wrote to memory of 404	4552	cmd.exe	108
PID 4552 wrote to memory of 312	4552	cmd.exe	109
PID 4552 wrote to memory of 312	4552	cmd.exe	109
PID 4552 wrote to memory of 4952	4552	cmd.exe	110
PID 4552 wrote to memory of 4952	4552	cmd.exe	110
PID 4552 wrote to memory of 3012	4552	cmd.exe	111
PID 4552 wrote to memory of 3012	4552	cmd.exe	111
PID 4552 wrote to memory of 1276	4552	cmd.exe	112
PID 4552 wrote to memory of 1276	4552	cmd.exe	112
PID 4552 wrote to memory of 4956	4552	cmd.exe	113
PID 4552 wrote to memory of 4956	4552	cmd.exe	113
PID 4552 wrote to memory of 4392	4552	cmd.exe	114
PID 4552 wrote to memory of 4392	4552	cmd.exe	114
PID 4552 wrote to memory of 3684	4552	cmd.exe	115
PID 4552 wrote to memory of 3684	4552	cmd.exe	115
PID 4552 wrote to memory of 1428	4552	cmd.exe	116
PID 4552 wrote to memory of 1428	4552	cmd.exe	116
PID 4552 wrote to memory of 2692	4552	cmd.exe	117
PID 4552 wrote to memory of 2692	4552	cmd.exe	117
PID 4552 wrote to memory of 2116	4552	cmd.exe	118
PID 4552 wrote to memory of 2116	4552	cmd.exe	118
PID 4552 wrote to memory of 5104	4552	cmd.exe	119
PID 4552 wrote to memory of 5104	4552	cmd.exe	119
PID 4552 wrote to memory of 3092	4552	cmd.exe	120
PID 4552 wrote to memory of 3092	4552	cmd.exe	120
PID 4552 wrote to memory of 2608	4552	cmd.exe	121
PID 4552 wrote to memory of 2608	4552	cmd.exe	121
PID 4552 wrote to memory of 4112	4552	cmd.exe	122
PID 4552 wrote to memory of 4112	4552	cmd.exe	122
PID 4552 wrote to memory of 3480	4552	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\Universe Spoofer v0.2 by ( nam-ra ).exe
"C:\Users\Admin\AppData\Local\Temp\Universe Spoofer v0.2 by ( nam-ra ).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Universe\h9awhd97ah.exe
  "C:\Program Files (x86)\Universe\h9awhd97ah.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B94.tmp\9B95.tmp\9B96.bat "C:\Program Files (x86)\Universe\h9awhd97ah.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2700
  - - C:\Windows\system32\sc.exe
      sc query FairplayKD
      4⤵
      Launches sc.exe
      PID:232
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1512
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -File C:\Users\KaimX.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3868
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings\general" /v "serial" 2>nul | findstr "serial"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings\general" /v "serial"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\findstr.exe
        
        findstr "serial"
        5⤵
        
        PID:4488
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -File C:\Users\service.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
  - - C:\Windows\system32\sc.exe
      sc stop FairplayKD
      4⤵
      Launches sc.exe
      PID:1216
  - - C:\Windows\system32\sc.exe
      sc query FairplayKD
      4⤵
      Launches sc.exe
      PID:4544
  - - C:\Windows\system32\findstr.exe
      findstr /C:"STATE"
      4⤵
      PID:404
  - - C:\Windows\system32\findstr.exe
      findstr /C:"STOPPED"
      4⤵
      PID:312
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4952
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 7411-41Z79-03200-S63255 /f
      4⤵
      PID:3012
  - - C:\Program Files (x86)\Universe\kdmapper.exe
      "C:\Program Files (x86)\Universe\kdmapper.exe" "C:\Program Files (x86)\Universe\spoofer.sys"
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4956
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4392
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3684
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1428
  - - C:\Windows\system32\sc.exe
      sc stop FairplayKD
      4⤵
      Launches sc.exe
      PID:2692
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2116
  - - C:\Windows\system32\sc.exe
      sc delete FairplayKD
      4⤵
      Launches sc.exe
      PID:5104
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3092
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2608
  - - C:\Program Files (x86)\Universe\kdmapper.exe
      "kdmapper.exe"
      4⤵
      Executes dropped EXE
      PID:4112
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3480
  - - C:\Program Files (x86)\Universe\log1.exe
      "log1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\EhgioN.exe
        
        C:\Users\Admin\AppData\Local\Temp\EhgioN.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1932168d.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A2C.tmp\A3D.tmp\A3E.bat "C:\Program Files (x86)\Universe\log1.exe""
        5⤵
        
        PID:1332
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4356
  - - C:\Program Files (x86)\Universe\log2.exe
      "log2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\zHKUyP.exe
        
        C:\Users\Admin\AppData\Local\Temp\zHKUyP.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59404196.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1D18.tmp\1D19.tmp\1D1A.bat "C:\Program Files (x86)\Universe\log2.exe""
        5⤵
        
        PID:3980
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4904
  - - C:\Program Files (x86)\Universe\Remove Logs.exe
      "Remove Logs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\HPSbqj.exe
        
        C:\Users\Admin\AppData\Local\Temp\HPSbqj.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6df6048d.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\29AB.tmp\29AC.tmp\29AD.bat "C:\Program Files (x86)\Universe\Remove Logs.exe""
        5⤵
        
        PID:1556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File script.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings" /f
        6⤵
        
        PID:4240
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1088
  - - C:\Program Files (x86)\Universe\FullCleaner.exe
      "FullCleaner.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\vkUrmMpE.exe
        
        C:\Users\Admin\AppData\Local\Temp\vkUrmMpE.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\378f188f.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\34B7.tmp\34B8.tmp\34B9.bat "C:\Program Files (x86)\Universe\FullCleaner.exe""
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3468
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
        6⤵
        
        PID:4264
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Electronic Arts" /f
        6⤵
        
        PID:4240
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
        6⤵
        
        PID:1956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
        6⤵
        
        PID:3628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
        6⤵
        
        PID:4628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCR\origin" /f
        6⤵
        
        PID:932
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCR\origin2" /f
        6⤵
        
        PID:1228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCR\Applications\Origin.exe" /f
        6⤵
        
        PID:4884
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
        6⤵
        
        PID:1668
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
        6⤵
        
        PID:4528
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
        6⤵
        
        PID:4500
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
        6⤵
        
        PID:3688
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
        6⤵
        
        PID:464
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
        6⤵
        
        PID:3092
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
        6⤵
        
        PID:3488
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCR\Applications\Origin.exe" /f
        6⤵
        
        PID:2808
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
        6⤵
        
        PID:2336
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
        6⤵
        
        PID:4956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
        6⤵
        
        PID:544
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
        6⤵
        
        PID:1572
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
        6⤵
        
        PID:384
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
        6⤵
        
        PID:2916
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
        6⤵
        
        PID:2300
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
        6⤵
        
        PID:2932
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
        6⤵
        
        PID:4756
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
        6⤵
        
        PID:3676
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
        6⤵
        
        PID:1424
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
        6⤵
        
        PID:1344
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
        6⤵
        
        PID:3644
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
        6⤵
        
        PID:1760
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
        6⤵
        
        PID:3612
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
        6⤵
        
        PID:3800
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
        6⤵
        
        PID:3976
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
        6⤵
        
        PID:2748
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
        6⤵
        
        PID:2108
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
        6⤵
        
        PID:2664
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
        6⤵
        
        PID:4980
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
        6⤵
        
        PID:3888
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
        6⤵
        
        PID:4996
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
        6⤵
        
        PID:5004
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
        6⤵
        
        PID:3496
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
        6⤵
        
        PID:3608
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
        6⤵
        
        PID:4340
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
        6⤵
        
        PID:648
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
        6⤵
        
        PID:112
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
        6⤵
        
        PID:3480
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
        6⤵
        
        PID:4728
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
        6⤵
        
        PID:2252
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
        6⤵
        
        PID:1432
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
        6⤵
        
        PID:4316
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
        6⤵
        
        PID:4552
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
        6⤵
        
        PID:4844
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
        6⤵
        
        PID:1628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
        6⤵
        
        PID:3220
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
        6⤵
        
        PID:2928
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
        6⤵
        
        PID:1616
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
        6⤵
        
        PID:4904
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
        6⤵
        
        PID:1744
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
        6⤵
        Checks processor information in registry
        
        PID:1216
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
        6⤵
        
        PID:4700
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
        6⤵
        
        PID:4608
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
        6⤵
        
        PID:1204
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
        6⤵
        
        PID:3512
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
        6⤵
        
        PID:1408
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
        6⤵
        
        PID:4472
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
        6⤵
        
        PID:4228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
        6⤵
        
        PID:3208
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
        6⤵
        
        PID:4224
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
        6⤵
        
        PID:4344
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
        6⤵
        
        PID:2020
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
        6⤵
        
        PID:4868
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
        6⤵
        
        PID:2128
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
        6⤵
        
        PID:2736
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
        6⤵
        
        PID:1652
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
        6⤵
        
        PID:3956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
        6⤵
        
        PID:4544
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
        6⤵
        
        PID:4092
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
        6⤵
        
        PID:4288
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
        6⤵
        
        PID:3652
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
        6⤵
        
        PID:1528
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
        6⤵
        
        PID:3628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
        6⤵
        
        PID:4628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
        6⤵
        
        PID:932
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
        6⤵
        
        PID:1228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
        6⤵
        
        PID:4884
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
        6⤵
        
        PID:4072
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
        6⤵
        
        PID:1088
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
        6⤵
        
        PID:2844
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
        6⤵
        
        PID:4416
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
        6⤵
        
        PID:3688
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
        6⤵
        
        PID:4460
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
        6⤵
        
        PID:3960
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
        6⤵
        
        PID:1308
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
        6⤵
        
        PID:3448
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
        6⤵
        
        PID:4392
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
        6⤵
        
        PID:4368
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
        6⤵
        
        PID:2604
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
        6⤵
        
        PID:3756
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
        6⤵
        
        PID:1572
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
        6⤵
        
        PID:2656
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
        6⤵
        
        PID:4188
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
        6⤵
        
        PID:4580
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
        6⤵
        
        PID:2384
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
        6⤵
        
        PID:3676
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
        6⤵
        
        PID:1424
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
        6⤵
        
        PID:1344
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
        6⤵
        
        PID:4356
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
        6⤵
        
        PID:4192
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
        6⤵
        
        PID:4764
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
        6⤵
        
        PID:3040
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
        6⤵
        
        PID:1524
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
        6⤵
        
        PID:3148
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
        6⤵
        
        PID:424
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
        6⤵
        
        PID:2664
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
        6⤵
        
        PID:4980
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
        6⤵
        
        PID:3888
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
        6⤵
        
        PID:4996
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
        6⤵
        
        PID:5004
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
        6⤵
        
        PID:5012
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
        6⤵
        
        PID:2040
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
        6⤵
        
        PID:3268
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
        6⤵
        
        PID:648
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
        6⤵
        
        PID:112
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
        6⤵
        
        PID:3480
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
        6⤵
        
        PID:4728
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
        6⤵
        
        PID:2956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
        6⤵
        
        PID:4800
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
        6⤵
        
        PID:4896
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
        6⤵
        
        PID:1516
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
        6⤵
        
        PID:3472
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
        6⤵
        
        PID:2896
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
        6⤵
        
        PID:2548
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
        6⤵
        
        PID:1672
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
        6⤵
        
        PID:4108
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
        6⤵
        
        PID:3708
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
        6⤵
        
        PID:4760
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
        6⤵
        
        PID:4700
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
        6⤵
        
        PID:4820
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
        6⤵
        
        PID:3464
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
        6⤵
        
        PID:3240
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
        6⤵
        
        PID:2156
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
        6⤵
        
        PID:5064
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
        6⤵
        
        PID:4228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
        6⤵
        
        PID:3208
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
        6⤵
        
        PID:4224
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
        6⤵
        
        PID:4344
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
        6⤵
        
        PID:4788
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
        6⤵
        
        PID:4816
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
        6⤵
        
        PID:4424
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
        6⤵
        
        PID:2736
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
        6⤵
        
        PID:1652
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
        6⤵
        
        PID:3956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
        6⤵
        
        PID:4544
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
        6⤵
        
        PID:4092
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
        6⤵
        
        PID:1556
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
        6⤵
        
        PID:4644
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
        6⤵
        
        PID:952
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
        6⤵
        
        PID:4624
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
        6⤵
        
        PID:2732
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
        6⤵
        
        PID:1228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
        6⤵
        
        PID:1668
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
        6⤵
        
        PID:4752
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
        6⤵
        
        PID:4500
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
        6⤵
        
        PID:4416
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
        6⤵
        
        PID:3688
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
        6⤵
        
        PID:4460
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
        6⤵
        
        PID:3960
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
        6⤵
        
        PID:1308
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
        6⤵
        
        PID:3448
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
        6⤵
        
        PID:4392
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
        6⤵
        
        PID:3748
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
        6⤵
        
        PID:544
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
        6⤵
        
        PID:1808
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
        6⤵
        
        PID:2656
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
        6⤵
        
        PID:4188
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
        6⤵
        
        PID:4128
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
        6⤵
        
        PID:4756
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
        6⤵
        
        PID:4576
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
        6⤵
        
        PID:3968
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
        6⤵
        
        PID:3148
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
        6⤵
        
        PID:4972
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
        6⤵
        
        PID:1192
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
        6⤵
        
        PID:712
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
        6⤵
        
        PID:3432
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
        6⤵
        
        PID:3760
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
        6⤵
        
        PID:1512
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
        6⤵
        
        PID:4104
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
        6⤵
        
        PID:3552
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
        6⤵
        
        PID:3000
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
        6⤵
        
        PID:4348
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
        6⤵
        
        PID:1444
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
        6⤵
        
        PID:4592
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
        6⤵
        
        PID:3036
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
        6⤵
        
        PID:2956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
        6⤵
        
        PID:4800
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
        6⤵
        
        PID:4896
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
        6⤵
        
        PID:1516
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
        6⤵
        
        PID:3472
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        6⤵
        
        PID:2896
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        6⤵
        
        PID:460
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        6⤵
        
        PID:2548
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        6⤵
        
        PID:1672
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        6⤵
        
        PID:3012
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        6⤵
        
        PID:4640
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        6⤵
        
        PID:3404
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        6⤵
        
        PID:3112
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
        6⤵
        
        PID:4820
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
        6⤵
        
        PID:3512
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
        6⤵
        
        PID:1408
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
        6⤵
        
        PID:4472
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
        6⤵
        
        PID:5064
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
        6⤵
        
        PID:4228
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
        6⤵
        
        PID:3208
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
        6⤵
        
        PID:4224
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
        6⤵
        
        PID:4848
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
        6⤵
        
        PID:4868
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
        6⤵
        
        PID:2128
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
        6⤵
        
        PID:4424
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
        6⤵
        
        PID:2736
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
        6⤵
        
        PID:1652
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
        6⤵
        
        PID:3956
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
        6⤵
        
        PID:4544
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
        6⤵
        
        PID:4240
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
        6⤵
        
        PID:3652
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
        6⤵
        
        PID:1528
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
        6⤵
        
        PID:3628
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
        6⤵
        
        PID:4360
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
        6⤵
        
        PID:3988
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
        6⤵
        
        PID:908
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
        6⤵
        
        PID:1044
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
        6⤵
        
        PID:1520
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
        6⤵
        
        PID:4540
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        6⤵
        
        PID:4752
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        6⤵
        
        PID:4796
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        6⤵
        
        PID:1656
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        6⤵
        
        PID:3928
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        6⤵
        
        PID:2096
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        6⤵
        
        PID:4808
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        6⤵
        
        PID:5048
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        6⤵
        
        PID:912
      - C:\Windows\system32\reg.exe
        
        REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
        6⤵
        
        PID:4956
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2716
      - C:\Windows\system32\netsh.exe
        
        netsh interface ip delete arpcache
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:544
      - C:\Windows\system32\certutil.exe
        
        certutil -URLCache * delete
        6⤵
        
        PID:2848
      - C:\Windows\system32\netsh.exe
        
        netsh int ip reset
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1540
      - C:\Windows\system32\netsh.exe
        
        netsh int ipv4 reset
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3644
      - C:\Windows\system32\netsh.exe
        
        netsh int ipv6 reset
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:392
      - C:\Windows\system32\netsh.exe
        
        netsh winsock reset
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4996
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4956
  - - C:\Program Files (x86)\Universe\NamRaCleaner.exe
      "NamRaCleaner.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\MObtpa.exe
        
        C:\Users\Admin\AppData\Local\Temp\MObtpa.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e735ba5.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\414A.tmp\414B.tmp\414C.bat "C:\Program Files (x86)\Universe\NamRaCleaner.exe""
        5⤵
        
        PID:4104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File KaimX.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4316
  - - C:\Program Files (x86)\Universe\NAMRA - 22653-20240731.exe
      "NAMRA - 22653-20240731.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Universe\FullCleaner.exe

Filesize
1.0MB

MD5
a56dbb52f6c978bd5654df884ba42d3b

SHA1
32da96257aab0185f64ef42c18aff0993a2781bb

SHA256
2543db4fd2d1012f6bf59c2e45509e73680f27537bb116225a40d2820f1f3828

SHA512
71cd9b3955597385a23550dcd649aecdf7440f678328643e7ccf86a294d8441074b95aecc22ad8a4871555fc5e390caba141f0a3759b09ce01378a0e2b70c2d2

Download Submit
C:\Program Files (x86)\Universe\NamRaCleaner.exe

Filesize
179KB

MD5
59335911cd7b9e5f6f1f16111d29f87e

SHA1
a7fc2aa3c6d1b5cc46515a3232d0c20167d6deab

SHA256
a2e94e994dffdc3ebe76ff560fbfc29f0d8f490461d0e3066390331c338faab2

SHA512
c6067e04fd672cc3fd80924ce199ccda66b890a0eafd068d88f6eef100d1f3893c5e4764c308f1ca7dd5e613361340440131f71f491c4c5cfad285db0437754d

Download Submit
C:\Program Files (x86)\Universe\Remove Logs.exe

Filesize
172KB

MD5
c0f7b72105ee0cd781b4981bc2ae8ae7

SHA1
e50b9366d5a1c20bf6e00efbb4870b03176a28f7

SHA256
92f25201e5ab74b6ad8c8ee591b94b19eda574328562fbf87ab3c20ad1e27f5d

SHA512
96728a0c56ab9907f9c5db54d42b529b5c4d1974b21ff86e59327694deeba4f52d400cad4cbf573051ba86c597ce2f3b722ce16ace925bc226d927fab6aab4be

Download Submit
C:\Program Files (x86)\Universe\h9awhd97ah.exe

Filesize
97KB

MD5
8181e3ea00bda6d5046c8276f976850f

SHA1
d730dd070cddbeaf20a7096407f0282048443dd5

SHA256
aa3ac0be8b0a352f54c23216477f828abed044b5f61547d172bc0391d6d2fd23

SHA512
481628f93d6ebf1c963a2b8219a58fd18d4e6251134dd4c304dfa9f78bfc7289635ae4a827941e10e701315b69021cd7a210bc1913e347064f1f06cc944bc7ff

Download Submit
C:\Program Files (x86)\Universe\kdmapper.exe

Filesize
134KB

MD5
e57dc10bfa91f373458ce1add7e58639

SHA1
a7c4a5d0557866ff6d5772254c54f8bb02f406e3

SHA256
b5dc038bacaafda1f25f514e19e68ebd6d524de09b398a22431137d913b9d379

SHA512
dfe45d2a70d337507d87c05786450999c1e9afd024647b958f2f76c4c5581695def9a9a2cdbf8bac1fe8f446a18933957b118be60a6bd878e7a990b42302103b

Download Submit
C:\Program Files (x86)\Universe\log1.exe

Filesize
107KB

MD5
a88a3556125cd1a697ff51bce466609a

SHA1
7608b452181f23fddcc5240503a2dd526c460e74

SHA256
d81a15a4e1113f0ce9e736fd879d4496ec086606430ee0f644fde64cf5fe21fb

SHA512
f14a57996ba76a021d97f486fbe84c191c07d07889f2105e7e8168e2d7a86b979792b756ebb2a43f3ebbad585fc4c4f241f10067221954a4169e3e0d0f700240

Download Submit
C:\Program Files (x86)\Universe\log2.exe

Filesize
107KB

MD5
aae0eb591159c9d170787d5cce0a1fb1

SHA1
6fc7683b2e12f928f98eed24e25221ff80969260

SHA256
f73f21133fa0678ba2bd6a539ea828ac5039c58032b7f5b5ee934475301e36ba

SHA512
897afe2902358a20236dd94d73597d257e6567430bcd2c5f792630821e5f1164da436eb8a2e30f7439e0dce81b9783d83215a4aa7ed49a2049c9f8d7c2fc0720

Download Submit
C:\Program Files (x86)\Universe\script.ps1

Filesize
409B

MD5
af5aefbf4681c1058c1e33b8bf09d316

SHA1
d6a797fcdbac3f9ababc4afe28f8dc1b6647db5e

SHA256
49a4c5b8c350d5b93d848c2cf9f3d108642ee15cf334897ee12d88008fe60692

SHA512
d29e5e760ef3fc586dbf34573784dae6169a74d9aeefe9455798bba477ed37ba084156931da6d3aca4e72bbb202c918bcdfa0d0dfc1488729fdecafd2bf76b34

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
7b5e0c3dc88d670762a339f9949bc91f

SHA1
00299182783d80e8bfc08867724b7bf4889f041b

SHA256
b4d592f483816e2720494bf2c5301b54346f81ebd36d920cd3d534476bdead93

SHA512
705ef891806a21d9a8f7e53a0566f390943c7b8bdeac03bfd06a016119a2720325e9859a9db78543600254df28420fba378a7432c3257169ac5a9e6972646e6a

Download Submit
C:\ProgramData\MTA San Andreas All\Common\Installer\nsis.log

Filesize
403B

MD5
8c132e66fa0128cffe77f097cb8631d7

SHA1
6842ddaf8a48af5b89570e6a611c8d6196a77e46

SHA256
efda2386ea8da6e6dca3c00c0ea4efc0a09dffa66f96aa0242cbb1dc55f8f30f

SHA512
9884242c6e19e53cfe4cda26e939c9e0f45681bb5ae18281f80bc9e0fa7663ab2c9e42342866da87624ed04b98ffbe7622ef4a35489832c98ec1b86389ce77ab

Download Submit
C:\ProgramData\MTA San Andreas All\Common\Installer\nsis.log

Filesize
3KB

MD5
67b76e29b219d1a701c7b6231e6cede5

SHA1
dfd7007b3ce9f35269442448a9b79ba3ff7a10f5

SHA256
51af58637036e493965f12e650758b863cd1e5e9db85bbda2cf06de58276f742

SHA512
8e578c3b977064f55ef1b9f316d2e1fa17feceb3de5b850805c22106a670931500feb8374a0aa358b2bf7a3ce6191f7af431f1aa9c4a69396b62924f25f38a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
0af12004db5fe4272f4edb32014df51e

SHA1
d58f39958fb93f8b305ca7294bebb4978766dae6

SHA256
6e59b3f130a284b93d20a9ed46b3fa945f464dcc68f2f521df8eddbf5c8425bc

SHA512
a0ab53cd3cd7703584bc9d3ef2ede4ac60f536154434468cd861a1ed8d702cf6daea284641634a346b27b8a54411c7fedb762784ad596a7da296fb288553036c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
977535dfbd0998fb3e80ee3259db77ce

SHA1
813ac3cdd836fd7a92e4ba4aad49a358047aac33

SHA256
48479508a0075f6c9d2f66de05caef4c50e31496cc22cb672bcaab8ec1309b36

SHA512
ebe55188a88900dfdee143be92ff6c2e5b708554b6352dd11d20d47c79c06eccf05c9f1ff564d1859a17526953aef4216412843a4aa3a857d594e1e5c1c5e4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ef7783c8ec860f8926ff42275e08ae5

SHA1
4f6ead80a6a25181a9945c41b35b7f84266c343f

SHA256
146a64e4edb6b36b331f56657c430bd3c380a5ae9285e47f25730b91e01830bd

SHA512
20155c877bc6a809573b70c80e0670f9e56600a8f80a63f4fbe0d64beec2d56e39e9efe3832dc80427e7f66ee908dee51a09750c2564541c7cf149b4410f0270

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D18.tmp\1D19.tmp\1D1A.bat

Filesize
1KB

MD5
e0f0f24047c4f2cf11b740ae7f32efd1

SHA1
271b1e88a1dc89c395854b5808a97f7b0b162f06

SHA256
5f7e01455bd8c7604f8e5b2cc069179015360505f08ffdb9a14c3abbcd478e5f

SHA512
55c1b69e7136b0e18da87fc29d5ac9974adfc019574cae14b906f46efc8dec02694f1d251c9d3d755918994ec9964aeed63f06ece317b066e6828abbb468b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\29AB.tmp\29AC.tmp\29AD.bat

Filesize
802B

MD5
b042ed3f4b4ecd3b6c1fa3fae134a292

SHA1
7229de7d77d8e7a1a304706d4cf3278defc85d6a

SHA256
8a94ca11bce4dd21f62211742df63975b501339186f9fba1808a5f30f40ecf18

SHA512
27a5b32394d0d895a9e23d0a92c089277615a51c197df866b08207dbef1b21b149825411f35e6a7a7340afe9f4f56a6f26bbab80118e366cccd9f75f3c2672eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B7.tmp\34B8.tmp\34B9.bat

Filesize
866KB

MD5
f895fdb2bc2b228f0f85cb7e0016341d

SHA1
11c205fb3259d53309fcf6b1413d4ca72ee4f27d

SHA256
20ddebb226c490e18ddcb215e16698c64965bc07e0108b975d944194b5ed58fe

SHA512
d00a3290bd54f53e13e691570e871f3999724aa353d68db70f3a8f86ede0053d21db46bd8ab6dcc4b6a6dab3173be35ef3c57765445eb7bc9e4d85281be9ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\414A.tmp\414B.tmp\414C.bat

Filesize
6KB

MD5
6ffc4014d4476951f51dc33d23ade91d

SHA1
b5e56feea88a9104a96e46e553bf1e2c2e11719f

SHA256
a8c551cc8b7308d0a21a0927a1ff23fb22972958ff02bd616be11d1710fc7985

SHA512
3026cf6d983113fd12f4256ba1c6939ff5ca32be5424f1254f2a07775ecd6ba238459ea4623a8a36725c63edd83226c3efbb5a9c73090293e3740d8bb70eead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F487FE3.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B94.tmp\9B95.tmp\9B96.bat

Filesize
4KB

MD5
8d8534dfb695f6087a33bf782accdc61

SHA1
9c3d9eae9fce45b0762291b0605d17b398520a47

SHA256
24bc54e9c524a73b03f3d540ddc815abfcf1da30f4123c1a0922e9697b5c7ecf

SHA512
123f68cf13e6247a03f110c0f8c209065c3c916735746c0cb6cd45bdc8253f34cdbf5860e7d89505d042a910edb49706e514dd5f74dfba254f9ce2453dafdac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2C.tmp\A3D.tmp\A3E.bat

Filesize
1KB

MD5
4fa3f51896539efc4e33072e36982ef2

SHA1
32f37a0c2eb87af2dc5e76d8c38d39475f6b4cc7

SHA256
faf2a2fa1e21ec5cb05a4ecf7cbd3e469bc79625b3601316fc3786f46c3845a3

SHA512
a3589076087fdd52d40b790912d8ed24d25c44311ac819c2deef1cd2eac8b7e243588021addf1fb60b1dea88dabe9d190ad3aa950b0c5c58f0a0362b395eb86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EhgioN.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5airsrq2.dt2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\AccessControl.dll

Filesize
15KB

MD5
d74bb4447af48da081c7d9b499f3a023

SHA1
dadf6e140e6fd8e49a1851cc144bb022e0adb185

SHA256
5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52

SHA512
9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\ioSpecial.ini

Filesize
1KB

MD5
d87480ede9aacb52a0b13c31dfd0ae02

SHA1
1624a81b176b366a096d34b51aede45dd86c0010

SHA256
994abf65b00197c4b25ae32045aa3d9066eb297d27889648b21591145c78ede0

SHA512
772de6a68ae9925aa402555cdc8cc4ceee1ab88dd101ca3e1c545f01991af49917c3c246f67016f0fac95bb4313960237183881c99793105162a2e789dfdfa57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4FD3.tmp\nsArray.dll

Filesize
12KB

MD5
da4bc09439ed21faf7620a53433aac92

SHA1
94e3347aebe16cb88b9f29f00134d9e0fb67e508

SHA256
216d68d3f0b37bb2203b3a438a84a089e8c388608f46377ad7e7d6a2709cf9b0

SHA512
920294456e8fee0c4137e4b4ba1389f09ade297d6ed49d78a9593d129dbb5eb048da2cbff7ac29687999991d5f38657cb31af73e2ccf6b8b9ce29480d4d81ec6

Download Submit
C:\Users\KaimX.ps1

Filesize
345B

MD5
2daa2c074155aeaf862a837a7650afb9

SHA1
554ee8759c9bdd23d54237185ed7d2c6c382226b

SHA256
cce4ddc6d6e501affed7597201deadae4718e8e2fb5f15ac9299dd9d00dc7161

SHA512
a6328c6c507f567144270d9aa7a6df1efb867a805afc2fc1b01c4e532c4f1d6247f2736397f695714e7884eea53fbd64440d282180a3bf814dc63ba6100e4656

Download Submit
C:\Users\service.ps1

Filesize
428B

MD5
e4ee2b1cce8063e9d1fb6e4f6e200640

SHA1
d2a288187ca8c2c1b7a668754e5499e9be6a5028

SHA256
e5b1daf93da58b1047a6d884d6eb39f544cbdeb0e4f2d6f1f06cf4ba3266bcc6

SHA512
941d665344a5c30c9154b27e241033b5d9adf7426287ad1c6b6c334d6aee5449d6d66b00b834bc65b5557f0c06f590c26c98a9beb37840b8d9760d60bb13f7af

Download Submit
memory/1084-99-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/1084-220-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/2456-149-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/2456-71-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/2648-116-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2648-248-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2708-151-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2708-252-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2760-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2760-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2992-156-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2992-286-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/3204-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3204-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4360-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4360-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4768-172-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

Filesize
36KB

Download
memory/4768-287-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

Filesize
36KB

Download
memory/4876-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4984-37-0x00000234E2A90000-0x00000234E2AB2000-memory.dmp

Filesize
136KB

Download