Analysis Overview
SHA256
7530c600f4383c5e3da3633c55acbeff7165284c66d63f76b2fa23f63be98c7c
Threat Level: Known bad
The file Release.7z was found to be: Known bad.
Malicious Activity Summary
Cerber
Cerber family
Sets service image path in registry
Drops file in Drivers directory
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-23 11:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-23 11:50
Reported
2024-11-23 11:52
Platform
win10ltsc2021-20241023-en
Max time kernel
25s
Max time network
43s
Command Line
Signatures
Cerber
Cerber family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zKyMpOqtpXqlGqcfrCHwaXpG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\zKyMpOqtpXqlGqcfrCHwaXpG" | C:\Windows\ory0lobn.jcw\kdmapper.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
Executes dropped EXE
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ory0lobn.jcw\randomisershit.sys | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\Volumeid.exe | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\zhjers.exe | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\AMIFLDRV64.SYS | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\dvlwwwdrv64.sys | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\kdmapper.exe | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File opened for modification | C:\Windows\ory0lobn.jcw | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\mac.bat | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| File created | C:\Windows\ory0lobn.jcw\cleaner.bat | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\loader3.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ory0lobn.jcw\kdmapper.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader3.exe
"C:\Users\Admin\AppData\Local\Temp\loader3.exe"
C:\Windows\ory0lobn.jcw\kdmapper.exe
"C:\Windows\ory0lobn.jcw\kdmapper.exe" C:\Windows\ory0lobn.jcw\randomisershit.sys
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SU auto
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SS "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CM "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SP "MS-7D22"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /SF "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BT "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BLC "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /PSN "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /PAT "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /PPN "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CSK "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CS "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CV "1.0"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CM "Micro-Star International Co., Ltd."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CA "To Be Filled By O.E.M."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CO "0000 0000h"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /CT "03h"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /IV "3.80"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /IVN "American Megatrends International, LLC."
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c C:\Windows\ory0lobn.jcw\zhjers.exe /BS "%random%%random%%random%%random%%random%"
C:\Windows\ory0lobn.jcw\zhjers.exe
C:\Windows\ory0lobn.jcw\zhjers.exe /BS "17609578143451693930651"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\cleaner.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Steam.exe" /t /fi "status eq running"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
C:\Windows\SysWOW64\reg.exe
REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
C:\Windows\SysWOW64\reg.exe
REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
C:\Windows\SysWOW64\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Electronic Arts" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\origin2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCR\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\ory0lobn.jcw\mac.bat" "
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" int ip reset
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr [0-9]
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 7232FA0CDCDD /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr [0-9]
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\SysWOW64\netsh.exe
netsh interface set interface name="Ethernet" disable
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\ory0lobn.jcw\Volumeid.exe
Volumeid.exe C: 1CBA-FF00
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/756-0-0x000000007536E000-0x000000007536F000-memory.dmp
memory/756-1-0x0000000000C20000-0x000000000113E000-memory.dmp
memory/756-2-0x0000000006260000-0x0000000006806000-memory.dmp
memory/756-3-0x0000000005B90000-0x0000000005C22000-memory.dmp
memory/756-4-0x0000000075360000-0x0000000075B11000-memory.dmp
memory/756-5-0x0000000005B10000-0x0000000005B1A000-memory.dmp
memory/756-6-0x0000000005FA0000-0x0000000006196000-memory.dmp
memory/756-7-0x0000000075360000-0x0000000075B11000-memory.dmp
memory/756-8-0x000000007536E000-0x000000007536F000-memory.dmp
memory/756-9-0x0000000075360000-0x0000000075B11000-memory.dmp
memory/756-10-0x0000000075360000-0x0000000075B11000-memory.dmp
C:\Windows\ory0lobn.jcw\kdmapper.exe
| MD5 | 33aa4f7f157634401b381a3328b11a8c |
| SHA1 | 50a65099f0f3bfee942d60d89c649ecd5724a48c |
| SHA256 | 180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311 |
| SHA512 | 700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54 |
C:\Windows\ory0lobn.jcw\zhjers.exe
| MD5 | f17ecf761e70feb98c7f628857eedfe7 |
| SHA1 | b2c1263c641bdaee8266a05a0afbb455e29e240d |
| SHA256 | 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf |
| SHA512 | e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084 |
C:\Windows\ory0lobn.jcw\amifldrv64.sys
| MD5 | f22740ba54a400fd2be7690bb204aa08 |
| SHA1 | 5812387783d61c6ab5702213bb968590a18065e3 |
| SHA256 | 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9 |
| SHA512 | ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500 |
C:\Windows\ory0lobn.jcw\Volumeid.exe
| MD5 | 4d867033b27c8a603de4885b449c4923 |
| SHA1 | f1ace1a241bab6efb3c7059a68b6e9bbe258da83 |
| SHA256 | 22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3 |
| SHA512 | b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702 |