cerber | 7530c600f4383c5e3da3633c55acbeff7165284c66d63f76b2fa23f63be98c7c

Analysis

max time kernel
25s
max time network
43s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-11-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader3.exe
Size

5.1MB
MD5

c0eaf986045e7421f9325bd3b0fdf6b3
SHA1

64e2b75bb9a8a8539ba3429dda7a6c6e9f7afa03
SHA256

364e54c5fc2da5c8836848d986911c4ceae73c5ed6b0aad325cae8372899f599
SHA512

b76ceabe07cb4c09bbeff0cb87356b9a68ccce7ddc344ae760ced63558db778ac42427c202f98a301d7a27e44eb769afaf6490fab53605c3a145673079bf5b9e
SSDEEP

98304:uGCd7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KlRPJ:Rx+y4ihkl/Wo/afHPgRB

Score

10^/10

cerber discovery persistence ransomware

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zKyMpOqtpXqlGqcfrCHwaXpG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\zKyMpOqtpXqlGqcfrCHwaXpG"	kdmapper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	loader3.exe

Executes dropped EXE 28 IoCs

pid	Process
4832	kdmapper.exe
4552	zhjers.exe
2460	zhjers.exe
2104	zhjers.exe
2680	zhjers.exe
1260	zhjers.exe
4328	zhjers.exe
2656	zhjers.exe
1096	zhjers.exe
2568	zhjers.exe
480	zhjers.exe
4316	zhjers.exe
3504	zhjers.exe
4920	zhjers.exe
4972	zhjers.exe
4796	zhjers.exe
1620	zhjers.exe
3528	zhjers.exe
3176	zhjers.exe
4376	zhjers.exe
2264	zhjers.exe
4364	zhjers.exe
2616	zhjers.exe
1488	zhjers.exe
4128	zhjers.exe
3616	zhjers.exe
3720	zhjers.exe
4120	zhjers.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ory0lobn.jcw\randomisershit.sys	loader3.exe
File created	C:\Windows\ory0lobn.jcw\Volumeid.exe	loader3.exe
File created	C:\Windows\ory0lobn.jcw\zhjers.exe	loader3.exe
File created	C:\Windows\ory0lobn.jcw\AMIFLDRV64.SYS	loader3.exe
File created	C:\Windows\ory0lobn.jcw\dvlwwwdrv64.sys	loader3.exe
File created	C:\Windows\ory0lobn.jcw\kdmapper.exe	loader3.exe
File opened for modification	C:\Windows\ory0lobn.jcw	loader3.exe
File created	C:\Windows\ory0lobn.jcw\mac.bat	loader3.exe
File created	C:\Windows\ory0lobn.jcw\cleaner.bat	loader3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	loader3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	loader3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	loader3.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2072	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
984	taskkill.exe
1672	taskkill.exe

Suspicious behavior: LoadsDriver 28 IoCs

pid	Process
4832	kdmapper.exe
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe
Token: SeIncBasePriorityPrivilege	756	loader3.exe
Token: 33	756	loader3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 4832	756	loader3.exe	89
PID 756 wrote to memory of 4832	756	loader3.exe	89
PID 756 wrote to memory of 3448	756	loader3.exe	91
PID 756 wrote to memory of 3448	756	loader3.exe	91
PID 756 wrote to memory of 3448	756	loader3.exe	91
PID 3448 wrote to memory of 4552	3448	cmd.exe	93
PID 3448 wrote to memory of 4552	3448	cmd.exe	93
PID 756 wrote to memory of 1876	756	loader3.exe	94
PID 756 wrote to memory of 1876	756	loader3.exe	94
PID 756 wrote to memory of 1876	756	loader3.exe	94
PID 1876 wrote to memory of 2460	1876	cmd.exe	96
PID 1876 wrote to memory of 2460	1876	cmd.exe	96
PID 756 wrote to memory of 1476	756	loader3.exe	97
PID 756 wrote to memory of 1476	756	loader3.exe	97
PID 756 wrote to memory of 1476	756	loader3.exe	97
PID 1476 wrote to memory of 2104	1476	cmd.exe	99
PID 1476 wrote to memory of 2104	1476	cmd.exe	99
PID 756 wrote to memory of 1512	756	loader3.exe	100
PID 756 wrote to memory of 1512	756	loader3.exe	100
PID 756 wrote to memory of 1512	756	loader3.exe	100
PID 1512 wrote to memory of 2680	1512	cmd.exe	102
PID 1512 wrote to memory of 2680	1512	cmd.exe	102
PID 756 wrote to memory of 2440	756	loader3.exe	103
PID 756 wrote to memory of 2440	756	loader3.exe	103
PID 756 wrote to memory of 2440	756	loader3.exe	103
PID 2440 wrote to memory of 1260	2440	cmd.exe	105
PID 2440 wrote to memory of 1260	2440	cmd.exe	105
PID 756 wrote to memory of 788	756	loader3.exe	106
PID 756 wrote to memory of 788	756	loader3.exe	106
PID 756 wrote to memory of 788	756	loader3.exe	106
PID 788 wrote to memory of 4328	788	cmd.exe	108
PID 788 wrote to memory of 4328	788	cmd.exe	108
PID 756 wrote to memory of 1528	756	loader3.exe	109
PID 756 wrote to memory of 1528	756	loader3.exe	109
PID 756 wrote to memory of 1528	756	loader3.exe	109
PID 1528 wrote to memory of 2656	1528	cmd.exe	111
PID 1528 wrote to memory of 2656	1528	cmd.exe	111
PID 756 wrote to memory of 2256	756	loader3.exe	112
PID 756 wrote to memory of 2256	756	loader3.exe	112
PID 756 wrote to memory of 2256	756	loader3.exe	112
PID 2256 wrote to memory of 1096	2256	cmd.exe	114
PID 2256 wrote to memory of 1096	2256	cmd.exe	114
PID 756 wrote to memory of 5044	756	loader3.exe	115
PID 756 wrote to memory of 5044	756	loader3.exe	115
PID 756 wrote to memory of 5044	756	loader3.exe	115
PID 5044 wrote to memory of 2568	5044	cmd.exe	117
PID 5044 wrote to memory of 2568	5044	cmd.exe	117
PID 756 wrote to memory of 2496	756	loader3.exe	118
PID 756 wrote to memory of 2496	756	loader3.exe	118
PID 756 wrote to memory of 2496	756	loader3.exe	118
PID 2496 wrote to memory of 480	2496	cmd.exe	120
PID 2496 wrote to memory of 480	2496	cmd.exe	120
PID 756 wrote to memory of 4684	756	loader3.exe	121
PID 756 wrote to memory of 4684	756	loader3.exe	121
PID 756 wrote to memory of 4684	756	loader3.exe	121
PID 4684 wrote to memory of 4316	4684	cmd.exe	123
PID 4684 wrote to memory of 4316	4684	cmd.exe	123
PID 756 wrote to memory of 2640	756	loader3.exe	124
PID 756 wrote to memory of 2640	756	loader3.exe	124
PID 756 wrote to memory of 2640	756	loader3.exe	124
PID 2640 wrote to memory of 3504	2640	cmd.exe	126
PID 2640 wrote to memory of 3504	2640	cmd.exe	126
PID 756 wrote to memory of 2292	756	loader3.exe	127
PID 756 wrote to memory of 2292	756	loader3.exe	127

C:\Users\Admin\AppData\Local\Temp\loader3.exe
"C:\Users\Admin\AppData\Local\Temp\loader3.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\ory0lobn.jcw\kdmapper.exe
  "C:\Windows\ory0lobn.jcw\kdmapper.exe" C:\Windows\ory0lobn.jcw\randomisershit.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:4832
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto
    3⤵
    - Executes dropped EXE
    PID:4552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"
    3⤵
    - Executes dropped EXE
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
    3⤵
    - Executes dropped EXE
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"
    3⤵
    - Executes dropped EXE
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1256
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"
    3⤵
    - Executes dropped EXE
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"
    3⤵
    - Executes dropped EXE
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4552
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"
    3⤵
    - Executes dropped EXE
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3120
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."
    3⤵
    - Executes dropped EXE
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BS "%random%%random%%random%%random%%random%"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\ory0lobn.jcw\zhjers.exe
    C:\Windows\ory0lobn.jcw\zhjers.exe /BS "17609578143451693930651"
    3⤵
    - Executes dropped EXE
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\cleaner.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Steam.exe" /t /fi "status eq running"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:968
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:232
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:732
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
    3⤵
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
    3⤵
    PID:704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
    3⤵
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
    3⤵
    PID:788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:644
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\mac.bat" "
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:3836
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 7232FA0CDCDD /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:3144
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:480
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:3504
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:2072
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" int ip reset
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  PID:4176
- - C:\Windows\ory0lobn.jcw\Volumeid.exe
    Volumeid.exe C: 1CBA-FF00
    3⤵
    PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ory0lobn.jcw\Volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Windows\ory0lobn.jcw\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\ory0lobn.jcw\kdmapper.exe

Filesize
140KB

MD5
33aa4f7f157634401b381a3328b11a8c

SHA1
50a65099f0f3bfee942d60d89c649ecd5724a48c

SHA256
180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311

SHA512
700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

Download Submit
C:\Windows\ory0lobn.jcw\zhjers.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
memory/756-6-0x0000000005FA0000-0x0000000006196000-memory.dmp

Filesize
2.0MB

Download
memory/756-5-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/756-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x0000000075360000-0x0000000075B11000-memory.dmp

Filesize
7.7MB

Download
memory/756-8-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/756-9-0x0000000075360000-0x0000000075B11000-memory.dmp

Filesize
7.7MB

Download
memory/756-10-0x0000000075360000-0x0000000075B11000-memory.dmp

Filesize
7.7MB

Download
memory/756-4-0x0000000075360000-0x0000000075B11000-memory.dmp

Filesize
7.7MB

Download
memory/756-3-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/756-2-0x0000000006260000-0x0000000006806000-memory.dmp

Filesize
5.6MB

Download
memory/756-1-0x0000000000C20000-0x000000000113E000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads