f578d77e5264494fd9cf4b740953b12b348745c43cc256cc5339c6a91413f909

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lcb spoofer_updated_quack/cleaners/leakedshit/clean1.bat
Size

567KB
MD5

4bf8dd140901a615b1a5fa5136728521
SHA1

00e8b5a27ecea6d6a9c52739f15a71c5559724c7
SHA256

e2b6ce87a5fa871709665b0306e15d45cd7b5550a4de6701a8ce31e811a646ed
SHA512

5600ff59e7383fafc77ca98849b34c784fb85a86c2b6bb0d7cde2aec83c0db026f84cce7259ad3c20aec75a561f97150563e6f1068e9f9993bd4443ef4eb7537
SSDEEP

1536:iYLmcHjAkpYLmcTzg8gFDRnvplGL5LvLpLjLw3z5z5z5zg:iYScHNYScTzg8gRRnvpFz5z5z5zg

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\LogFiles\SQM\SQMLOG~1.002	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\NETCLR~2\_NetworkingPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\_Networkingperfcounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0411\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\fr-FR\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\netpgm.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0000\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0409\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0409\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\de-DE\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0000\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0411\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\040C\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0C0A\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0411\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0411\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0410\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrass.inf	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0410\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0000\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\0C0A\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0409\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\puwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0409\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\040C\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netvwifimp.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\040C\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0C0A\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netavpnt.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0410\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\Prefetch\READYB~1\READYB~1.ETL	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0C0A\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0000\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\dshowext.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0411\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\040C\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\it-IT\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\ja-JP\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0000\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\ndiscap.inf	cmd.exe
File opened for modification	C:\Windows\INF\rspndr.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0410\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\040C\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\en-US\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0411\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0C0A\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0409\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netpacer.inf	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0410\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ndisuio.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0409\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0409\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\tslabels.h	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0411\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3012	ipconfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 372	3004	cmd.exe	31
PID 3004 wrote to memory of 372	3004	cmd.exe	31
PID 3004 wrote to memory of 372	3004	cmd.exe	31
PID 3004 wrote to memory of 2728	3004	cmd.exe	32
PID 3004 wrote to memory of 2728	3004	cmd.exe	32
PID 3004 wrote to memory of 2728	3004	cmd.exe	32
PID 3004 wrote to memory of 2744	3004	cmd.exe	33
PID 3004 wrote to memory of 2744	3004	cmd.exe	33
PID 3004 wrote to memory of 2744	3004	cmd.exe	33
PID 3004 wrote to memory of 2748	3004	cmd.exe	34
PID 3004 wrote to memory of 2748	3004	cmd.exe	34
PID 3004 wrote to memory of 2748	3004	cmd.exe	34
PID 3004 wrote to memory of 2764	3004	cmd.exe	35
PID 3004 wrote to memory of 2764	3004	cmd.exe	35
PID 3004 wrote to memory of 2764	3004	cmd.exe	35
PID 3004 wrote to memory of 2792	3004	cmd.exe	36
PID 3004 wrote to memory of 2792	3004	cmd.exe	36
PID 3004 wrote to memory of 2792	3004	cmd.exe	36
PID 3004 wrote to memory of 2732	3004	cmd.exe	37
PID 3004 wrote to memory of 2732	3004	cmd.exe	37
PID 3004 wrote to memory of 2732	3004	cmd.exe	37
PID 3004 wrote to memory of 2692	3004	cmd.exe	38
PID 3004 wrote to memory of 2692	3004	cmd.exe	38
PID 3004 wrote to memory of 2692	3004	cmd.exe	38
PID 3004 wrote to memory of 2780	3004	cmd.exe	39
PID 3004 wrote to memory of 2780	3004	cmd.exe	39
PID 3004 wrote to memory of 2780	3004	cmd.exe	39
PID 3004 wrote to memory of 2540	3004	cmd.exe	40
PID 3004 wrote to memory of 2540	3004	cmd.exe	40
PID 3004 wrote to memory of 2540	3004	cmd.exe	40
PID 3004 wrote to memory of 1440	3004	cmd.exe	41
PID 3004 wrote to memory of 1440	3004	cmd.exe	41
PID 3004 wrote to memory of 1440	3004	cmd.exe	41
PID 3004 wrote to memory of 2652	3004	cmd.exe	42
PID 3004 wrote to memory of 2652	3004	cmd.exe	42
PID 3004 wrote to memory of 2652	3004	cmd.exe	42
PID 3004 wrote to memory of 2696	3004	cmd.exe	43
PID 3004 wrote to memory of 2696	3004	cmd.exe	43
PID 3004 wrote to memory of 2696	3004	cmd.exe	43
PID 3004 wrote to memory of 2660	3004	cmd.exe	44
PID 3004 wrote to memory of 2660	3004	cmd.exe	44
PID 3004 wrote to memory of 2660	3004	cmd.exe	44
PID 3004 wrote to memory of 2340	3004	cmd.exe	45
PID 3004 wrote to memory of 2340	3004	cmd.exe	45
PID 3004 wrote to memory of 2340	3004	cmd.exe	45
PID 3004 wrote to memory of 2772	3004	cmd.exe	46
PID 3004 wrote to memory of 2772	3004	cmd.exe	46
PID 3004 wrote to memory of 2772	3004	cmd.exe	46
PID 3004 wrote to memory of 2560	3004	cmd.exe	47
PID 3004 wrote to memory of 2560	3004	cmd.exe	47
PID 3004 wrote to memory of 2560	3004	cmd.exe	47
PID 3004 wrote to memory of 2776	3004	cmd.exe	48
PID 3004 wrote to memory of 2776	3004	cmd.exe	48
PID 3004 wrote to memory of 2776	3004	cmd.exe	48
PID 3004 wrote to memory of 2556	3004	cmd.exe	49
PID 3004 wrote to memory of 2556	3004	cmd.exe	49
PID 3004 wrote to memory of 2556	3004	cmd.exe	49
PID 3004 wrote to memory of 2820	3004	cmd.exe	50
PID 3004 wrote to memory of 2820	3004	cmd.exe	50
PID 3004 wrote to memory of 2820	3004	cmd.exe	50
PID 3004 wrote to memory of 2800	3004	cmd.exe	51
PID 3004 wrote to memory of 2800	3004	cmd.exe	51
PID 3004 wrote to memory of 2800	3004	cmd.exe	51
PID 3004 wrote to memory of 2700	3004	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lcb spoofer_updated_quack\cleaners\leakedshit\clean1.bat"
1⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
  2⤵
  PID:372
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Electronic Arts" /f
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\origin" /f
  2⤵
  PID:2792
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\origin2" /f
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\Applications\Origin.exe" /f
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  REG DELETE "HKCR\Applications\Origin.exe" /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
  2⤵
  PID:2700
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
  2⤵
  PID:2532
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
  2⤵
  PID:340
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
  2⤵
  PID:1828
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:2604
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
  2⤵
  PID:748
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
  2⤵
  PID:488
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
  2⤵
  PID:924
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
  2⤵
  PID:864
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
  2⤵
  PID:780
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
  2⤵
  PID:1304
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
  2⤵
  PID:1700
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
  2⤵
  PID:1660
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
  2⤵
  PID:1976
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
  2⤵
  PID:108
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
  2⤵
  PID:1060
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
  2⤵
  PID:380
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
  2⤵
  PID:540
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
  2⤵
  PID:1532
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
  2⤵
  PID:900
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
  2⤵
  PID:824
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
  2⤵
  PID:2512
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
  2⤵
  PID:1964
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
  2⤵
  PID:1392
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
  2⤵
  PID:2204
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:1928
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
  2⤵
  PID:1568
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
  2⤵
  PID:2472
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
  2⤵
  PID:1948
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:848
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:792
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
  2⤵
  PID:2936
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:1052
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
  2⤵
  PID:1844
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:944
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:1380
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
  2⤵
  PID:1780
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
  2⤵
  PID:876
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:892
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
  2⤵
  PID:828
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:2396
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
  2⤵
  PID:1352
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
  2⤵
  PID:1344
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
  2⤵
  PID:1724
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
  2⤵
  PID:576
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
  2⤵
  PID:608
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
  2⤵
  PID:1540
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
  2⤵
  PID:1276
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:2324
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
  2⤵
  PID:2124
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
  2⤵
  PID:2300
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
  2⤵
  PID:2352
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
  2⤵
  PID:2268
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
  2⤵
  PID:1632
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1596
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
  2⤵
  PID:980
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
  2⤵
  PID:1804
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
  2⤵
  PID:904
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
  2⤵
  PID:880
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
  2⤵
  PID:1748
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
  2⤵
  PID:1284
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
  2⤵
  PID:1584
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
  2⤵
  PID:1692
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:2688
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:2668
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:2768
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
  2⤵
  PID:2720
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
  2⤵
  PID:2580
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
  2⤵
  PID:2544
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
  2⤵
  PID:2148
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
  2⤵
  PID:348
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:2872
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
  2⤵
  PID:2984
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
  2⤵
  PID:3008
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
  2⤵
  PID:2972
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
  2⤵
  PID:2980
- C:\Windows\system32\reg.exe
  REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
  2⤵
  PID:2988
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:3012
- C:\Windows\system32\netsh.exe
  netsh interface ip delete arpcache
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3020
- C:\Windows\system32\certutil.exe
  certutil -URLCache * delete
  2⤵
  PID:2488
- C:\Windows\system32\netsh.exe
  netsh int ip reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1256
- C:\Windows\system32\netsh.exe
  netsh int ipv4 reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1028
- C:\Windows\system32\netsh.exe
  netsh int ipv6 reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1608
- C:\Windows\system32\netsh.exe
  netsh winsock reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads