Analysis Overview
SHA256
22f86114e96d76269950437cdfc739f306212e056f3074a7eadca2249a453554
Threat Level: Known bad
The file Release.7z was found to be: Known bad.
Malicious Activity Summary
Cerber
Cerber family
Sets service image path in registry
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Gathers network information
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-23 11:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-23 11:30
Reported
2024-11-23 11:32
Platform
win10ltsc2021-20241023-en
Max time kernel
24s
Max time network
61s
Command Line
Signatures
Cerber
Cerber family
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IiOInlosxWlLujGQDwL\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\IiOInlosxWlLujGQDwL" | C:\Windows\itncw2gf.ljb\kdmapper.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
Executes dropped EXE
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\itncw2gf.ljb | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\mac.bat | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\AMIFLDRV64.SYS | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\dvlwwwdrv64.sys | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\randomisershit.sys | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\cleaner.bat | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\zhjers.exe | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\kdmapper.exe | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| File created | C:\Windows\itncw2gf.ljb\Volumeid.exe | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\loader2.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\itncw2gf.ljb\kdmapper.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader2.exe
"C:\Users\Admin\AppData\Local\Temp\loader2.exe"
C:\Windows\itncw2gf.ljb\kdmapper.exe
"C:\Windows\itncw2gf.ljb\kdmapper.exe" C:\Windows\itncw2gf.ljb\randomisershit.sys
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SU auto
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SU auto
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SS "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SS "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SV "1.0"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CM "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CM "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SP "MS-7D22"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SP "MS-7D22"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SM "Micro-Star International Co., Ltd."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SK "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SF "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /SF "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BM "Micro-Star International Co., Ltd."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BV "1.0"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BT "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BT "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BLC "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BLC "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PSN "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /PSN "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PAT "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /PAT "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PPN "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /PPN "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CS "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CS "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CV "1.0"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CM "Micro-Star International Co., Ltd."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CA "To Be Filled By O.E.M."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CA "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CO "0000 0000h"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CO "0000 0000h"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CT "03h"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /CT "03h"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /IV "3.80"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /IV "3.80"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /IVN "American Megatrends International, LLC."
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /IVN "American Megatrends International, LLC."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BS "%random%%random%%random%%random%%random%"
C:\Windows\itncw2gf.ljb\zhjers.exe
C:\Windows\itncw2gf.ljb\zhjers.exe /BS "305512521913736241417643"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\itncw2gf.ljb\cleaner.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Steam.exe" /t /fi "status eq running"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
C:\Windows\SysWOW64\reg.exe
REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
C:\Windows\SysWOW64\reg.exe
REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\itncw2gf.ljb\mac.bat" "
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr [0-9]
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" int ip reset
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d E62605B9072C /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr [0-9]
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
C:\Windows\SysWOW64\netsh.exe
netsh interface set interface name="Ethernet" disable
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
Files
memory/1536-0-0x000000007488E000-0x000000007488F000-memory.dmp
memory/1536-1-0x00000000006F0000-0x0000000000C0C000-memory.dmp
memory/1536-2-0x0000000005B60000-0x0000000006106000-memory.dmp
memory/1536-3-0x0000000005650000-0x00000000056E2000-memory.dmp
memory/1536-4-0x0000000074880000-0x0000000075031000-memory.dmp
memory/1536-5-0x0000000005600000-0x000000000560A000-memory.dmp
memory/1536-6-0x0000000006B10000-0x0000000006D06000-memory.dmp
memory/1536-7-0x0000000074880000-0x0000000075031000-memory.dmp
memory/1536-8-0x000000007488E000-0x000000007488F000-memory.dmp
memory/1536-9-0x0000000074880000-0x0000000075031000-memory.dmp
memory/1536-10-0x0000000074880000-0x0000000075031000-memory.dmp
C:\Windows\itncw2gf.ljb\kdmapper.exe
| MD5 | 33aa4f7f157634401b381a3328b11a8c |
| SHA1 | 50a65099f0f3bfee942d60d89c649ecd5724a48c |
| SHA256 | 180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311 |
| SHA512 | 700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54 |
C:\Windows\itncw2gf.ljb\zhjers.exe
| MD5 | f17ecf761e70feb98c7f628857eedfe7 |
| SHA1 | b2c1263c641bdaee8266a05a0afbb455e29e240d |
| SHA256 | 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf |
| SHA512 | e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084 |
C:\Windows\itncw2gf.ljb\amifldrv64.sys
| MD5 | f22740ba54a400fd2be7690bb204aa08 |
| SHA1 | 5812387783d61c6ab5702213bb968590a18065e3 |
| SHA256 | 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9 |
| SHA512 | ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500 |
C:\Windows\itncw2gf.ljb\cleaner.bat
| MD5 | d4a755cf4816c251a2c08548301ab6d1 |
| SHA1 | 33c2b40ae11177fb116b361bffbc73690b668d73 |
| SHA256 | c1a955fd9a937afba415bc45f5b174254f708ac018321674c4967fd2d8afba4b |
| SHA512 | 860a3576184395d21df293c083c683807c584670149ce03570634494725dcaf914c8d7db24812c7aa6b29dfc04fb92b456676319c070a74a3d453c7014cf7828 |
C:\Windows\itncw2gf.ljb\mac.bat
| MD5 | 86630f471a1c7f40e8494347f9ab8249 |
| SHA1 | 10a2139adfb884f01799de89bf9b9ccb2a8bb460 |
| SHA256 | c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c |
| SHA512 | 666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369 |