Malware Analysis Report

2025-01-02 14:59

Sample ID 241123-nzxc1atrc1
Target Release.7z
SHA256 7530c600f4383c5e3da3633c55acbeff7165284c66d63f76b2fa23f63be98c7c
Tags
cerber discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7530c600f4383c5e3da3633c55acbeff7165284c66d63f76b2fa23f63be98c7c

Threat Level: Known bad

The file Release.7z was found to be: Known bad.

Malicious Activity Summary

cerber discovery persistence ransomware

Cerber

Cerber family

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Gathers network information

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 11:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 11:50

Reported

2024-11-23 11:52

Platform

win10ltsc2021-20241023-en

Max time kernel

25s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zKyMpOqtpXqlGqcfrCHwaXpG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\zKyMpOqtpXqlGqcfrCHwaXpG" C:\Windows\ory0lobn.jcw\kdmapper.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ory0lobn.jcw\randomisershit.sys C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\Volumeid.exe C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\zhjers.exe C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\AMIFLDRV64.SYS C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\dvlwwwdrv64.sys C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File opened for modification C:\Windows\ory0lobn.jcw C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\mac.bat C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
File created C:\Windows\ory0lobn.jcw\cleaner.bat C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\ory0lobn.jcw\kdmapper.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\ory0lobn.jcw\kdmapper.exe
PID 756 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\ory0lobn.jcw\kdmapper.exe
PID 756 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 3448 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 1876 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 1476 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 1512 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 2440 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 788 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 1528 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 2256 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 5044 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 2496 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 4684 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 2640 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\ory0lobn.jcw\zhjers.exe
PID 756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\loader3.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\loader3.exe

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

C:\Windows\ory0lobn.jcw\kdmapper.exe

"C:\Windows\ory0lobn.jcw\kdmapper.exe" C:\Windows\ory0lobn.jcw\randomisershit.sys

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BS "%random%%random%%random%%random%%random%"

C:\Windows\ory0lobn.jcw\zhjers.exe

C:\Windows\ory0lobn.jcw\zhjers.exe /BS "17609578143451693930651"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\cleaner.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "Steam.exe" /t /fi "status eq running"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\mac.bat" "

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" int ip reset

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 7232FA0CDCDD /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\netsh.exe

netsh interface set interface name="Ethernet" disable

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\ory0lobn.jcw\Volumeid.exe

Volumeid.exe C: 1CBA-FF00

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/756-0-0x000000007536E000-0x000000007536F000-memory.dmp

memory/756-1-0x0000000000C20000-0x000000000113E000-memory.dmp

memory/756-2-0x0000000006260000-0x0000000006806000-memory.dmp

memory/756-3-0x0000000005B90000-0x0000000005C22000-memory.dmp

memory/756-4-0x0000000075360000-0x0000000075B11000-memory.dmp

memory/756-5-0x0000000005B10000-0x0000000005B1A000-memory.dmp

memory/756-6-0x0000000005FA0000-0x0000000006196000-memory.dmp

memory/756-7-0x0000000075360000-0x0000000075B11000-memory.dmp

memory/756-8-0x000000007536E000-0x000000007536F000-memory.dmp

memory/756-9-0x0000000075360000-0x0000000075B11000-memory.dmp

memory/756-10-0x0000000075360000-0x0000000075B11000-memory.dmp

C:\Windows\ory0lobn.jcw\kdmapper.exe

MD5 33aa4f7f157634401b381a3328b11a8c
SHA1 50a65099f0f3bfee942d60d89c649ecd5724a48c
SHA256 180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311
SHA512 700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

C:\Windows\ory0lobn.jcw\zhjers.exe

MD5 f17ecf761e70feb98c7f628857eedfe7
SHA1 b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512 e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

C:\Windows\ory0lobn.jcw\amifldrv64.sys

MD5 f22740ba54a400fd2be7690bb204aa08
SHA1 5812387783d61c6ab5702213bb968590a18065e3
SHA256 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512 ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

C:\Windows\ory0lobn.jcw\Volumeid.exe

MD5 4d867033b27c8a603de4885b449c4923
SHA1 f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA256 22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512 b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702