cerber | a563e7ac52ec2d7d734d61662bcc054860e39572db91d4482b237f6472d85f3d

Analysis

max time kernel
179s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NkPrivateSpoofer.zip
Size

5.1MB
MD5

470d2096c4711d3d8c5e0be84f6b520b
SHA1

8ff56896ea5b64d3d261fc973140bd0a52fa1dca
SHA256

a563e7ac52ec2d7d734d61662bcc054860e39572db91d4482b237f6472d85f3d
SHA512

6dca3561e8a78ed8c26685ad59559ee762a7d527d26d37a497b49685621624603c883a65820f2ab551a8bc3026d5262e0524a8c0a248024f0741bb62ddbb508e
SSDEEP

98304:i2NJXbaCQCBCjAVE0vAdt+vtduiOC8on5Q2Nbp6WWr5jT4tuaGBREAoF+eb:iKXbDQLsVUdt+Vd/nJNbpBW9jUt/GBRs

Score

10^/10

cerber discovery persistence ransomware

Malware Config

Signatures

Cerber 29 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
		4468	taskkill.exe
		4656	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		zhjers.exe

Cerber family
cerber

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hVQlBSUuZx\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hVQlBSUuZx"	kdmapper.exe

Executes dropped EXE 30 IoCs

pid	Process
4008	loader.exe
868	loader.exe
2488	kdmapper.exe
1756	zhjers.exe
440	zhjers.exe
4188	zhjers.exe
4872	zhjers.exe
2204	zhjers.exe
2744	zhjers.exe
1824	zhjers.exe
2596	zhjers.exe
1528	zhjers.exe
2448	zhjers.exe
1880	zhjers.exe
1424	zhjers.exe
4860	zhjers.exe
4324	zhjers.exe
624	zhjers.exe
3244	zhjers.exe
4244	zhjers.exe
432	zhjers.exe
180	zhjers.exe
2772	zhjers.exe
2944	zhjers.exe
3364	zhjers.exe
3748	zhjers.exe
3556	zhjers.exe
1484	zhjers.exe
1636	zhjers.exe
1676	zhjers.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\hn0zvhvc.fnn\mac.bat	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\kdmapper.exe	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\Volumeid.exe	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\zhjers.exe	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\AMIFLDRV64.SYS	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\dvlwwwdrv64.sys	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\randomisershit.sys	loader.exe
File opened for modification	C:\Windows\hn0zvhvc.fnn	loader.exe
File opened for modification	C:\Windows\hn0zvhvc.fnn\mac.bat	loader.exe
File created	C:\Windows\hn0zvhvc.fnn\cleaner.bat	loader.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4528	4008	WerFault.exe	125
3016	868	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	loader.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3132	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4468	taskkill.exe
4656	taskkill.exe
4404	taskkill.exe
1492	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4384	7zFM.exe

Suspicious behavior: LoadsDriver 28 IoCs

pid	Process
2488	kdmapper.exe
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4384	7zFM.exe
Token: 35	4384	7zFM.exe
Token: SeSecurityPrivilege	4384	7zFM.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeSecurityPrivilege	4384	7zFM.exe
Token: SeSecurityPrivilege	4384	7zFM.exe
Token: SeDebugPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe
Token: SeIncBasePriorityPrivilege	744	loader.exe
Token: 33	744	loader.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe
4384	7zFM.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1756	zhjers.exe
440	zhjers.exe
4188	zhjers.exe
4872	zhjers.exe
2204	zhjers.exe
2744	zhjers.exe
1824	zhjers.exe
2596	zhjers.exe
1528	zhjers.exe
2448	zhjers.exe
1880	zhjers.exe
1424	zhjers.exe
4860	zhjers.exe
4324	zhjers.exe
624	zhjers.exe
3244	zhjers.exe
4244	zhjers.exe
432	zhjers.exe
180	zhjers.exe
2772	zhjers.exe
2944	zhjers.exe
3364	zhjers.exe
3748	zhjers.exe
3556	zhjers.exe
1484	zhjers.exe
1636	zhjers.exe
1676	zhjers.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3668	4384	7zFM.exe	102
PID 4384 wrote to memory of 3668	4384	7zFM.exe	102
PID 3668 wrote to memory of 4468	3668	cmd.exe	106
PID 3668 wrote to memory of 4468	3668	cmd.exe	106
PID 3668 wrote to memory of 4656	3668	cmd.exe	107
PID 3668 wrote to memory of 4656	3668	cmd.exe	107
PID 3668 wrote to memory of 3552	3668	cmd.exe	108
PID 3668 wrote to memory of 3552	3668	cmd.exe	108
PID 3668 wrote to memory of 1060	3668	cmd.exe	109
PID 3668 wrote to memory of 1060	3668	cmd.exe	109
PID 3668 wrote to memory of 3036	3668	cmd.exe	110
PID 3668 wrote to memory of 3036	3668	cmd.exe	110
PID 3668 wrote to memory of 4276	3668	cmd.exe	111
PID 3668 wrote to memory of 4276	3668	cmd.exe	111
PID 3668 wrote to memory of 1760	3668	cmd.exe	112
PID 3668 wrote to memory of 1760	3668	cmd.exe	112
PID 3668 wrote to memory of 3392	3668	cmd.exe	113
PID 3668 wrote to memory of 3392	3668	cmd.exe	113
PID 3668 wrote to memory of 4784	3668	cmd.exe	114
PID 3668 wrote to memory of 4784	3668	cmd.exe	114
PID 3668 wrote to memory of 4332	3668	cmd.exe	115
PID 3668 wrote to memory of 4332	3668	cmd.exe	115
PID 3668 wrote to memory of 3888	3668	cmd.exe	116
PID 3668 wrote to memory of 3888	3668	cmd.exe	116
PID 3668 wrote to memory of 2604	3668	cmd.exe	117
PID 3668 wrote to memory of 2604	3668	cmd.exe	117
PID 3668 wrote to memory of 4016	3668	cmd.exe	118
PID 3668 wrote to memory of 4016	3668	cmd.exe	118
PID 3668 wrote to memory of 2420	3668	cmd.exe	119
PID 3668 wrote to memory of 2420	3668	cmd.exe	119
PID 3668 wrote to memory of 3900	3668	cmd.exe	120
PID 3668 wrote to memory of 3900	3668	cmd.exe	120
PID 3668 wrote to memory of 3360	3668	cmd.exe	121
PID 3668 wrote to memory of 3360	3668	cmd.exe	121
PID 3668 wrote to memory of 1756	3668	cmd.exe	122
PID 3668 wrote to memory of 1756	3668	cmd.exe	122
PID 3668 wrote to memory of 2824	3668	cmd.exe	123
PID 3668 wrote to memory of 2824	3668	cmd.exe	123
PID 3668 wrote to memory of 2424	3668	cmd.exe	124
PID 3668 wrote to memory of 2424	3668	cmd.exe	124
PID 4384 wrote to memory of 4008	4384	7zFM.exe	125
PID 4384 wrote to memory of 4008	4384	7zFM.exe	125
PID 4384 wrote to memory of 4008	4384	7zFM.exe	125
PID 4384 wrote to memory of 868	4384	7zFM.exe	130
PID 4384 wrote to memory of 868	4384	7zFM.exe	130
PID 4384 wrote to memory of 868	4384	7zFM.exe	130
PID 744 wrote to memory of 2488	744	loader.exe	137
PID 744 wrote to memory of 2488	744	loader.exe	137
PID 744 wrote to memory of 5092	744	loader.exe	139
PID 744 wrote to memory of 5092	744	loader.exe	139
PID 744 wrote to memory of 5092	744	loader.exe	139
PID 5092 wrote to memory of 1756	5092	cmd.exe	141
PID 5092 wrote to memory of 1756	5092	cmd.exe	141
PID 744 wrote to memory of 2424	744	loader.exe	142
PID 744 wrote to memory of 2424	744	loader.exe	142
PID 744 wrote to memory of 2424	744	loader.exe	142
PID 2424 wrote to memory of 440	2424	cmd.exe	144
PID 2424 wrote to memory of 440	2424	cmd.exe	144
PID 744 wrote to memory of 4452	744	loader.exe	145
PID 744 wrote to memory of 4452	744	loader.exe	145
PID 744 wrote to memory of 4452	744	loader.exe	145
PID 4452 wrote to memory of 4188	4452	cmd.exe	147
PID 4452 wrote to memory of 4188	4452	cmd.exe	147
PID 744 wrote to memory of 1736	744	loader.exe	148

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NkPrivateSpoofer.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO021A4718\cleaner.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "Steam.exe" /t /fi "status eq running"
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4656
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
    3⤵
    PID:3552
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
    3⤵
    PID:1060
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    PID:3036
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    PID:1760
- - C:\Windows\system32\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    PID:3392
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    PID:3888
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    PID:2604
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    PID:3900
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
    3⤵
    PID:3360
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
    3⤵
    PID:2824
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    PID:2424
- C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1048
    3⤵
    - Program crash
    PID:4528
- C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1052
    3⤵
    - Program crash
    PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4008 -ip 4008
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 868 -ip 868
1⤵
PID:2788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1696

C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe
"C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\hn0zvhvc.fnn\kdmapper.exe
  "C:\Windows\hn0zvhvc.fnn\kdmapper.exe" C:\Windows\hn0zvhvc.fnn\randomisershit.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SU auto
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SU auto
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SS "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SV "1.0"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SP "MS-7D22"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4232
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SP "MS-7D22"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SM "Micro-Star International Co., Ltd."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3424
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SK "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SF "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3792
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /SF "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:552
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BM "Micro-Star International Co., Ltd."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4752
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BV "1.0"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BT "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BLC "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BLC "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PSN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /PSN "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PAT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3764
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /PAT "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PPN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:64
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /PPN "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3716
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CS "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:180
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CV "1.0"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1268
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "Micro-Star International Co., Ltd."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CA "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CA "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CO "0000 0000h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CO "0000 0000h"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CT "03h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /CT "03h"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /IV "3.80"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4968
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /IV "3.80"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /IVN "American Megatrends International, LLC."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4332
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /IVN "American Megatrends International, LLC."
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BS "%random%%random%%random%%random%%random%"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\hn0zvhvc.fnn\zhjers.exe
    C:\Windows\hn0zvhvc.fnn\zhjers.exe /BS "10559190572717492916524"
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\hn0zvhvc.fnn\cleaner.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:4844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Steam.exe" /t /fi "status eq running"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    PID:516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:180
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
    3⤵
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:432
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:812
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:552
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:464
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    PID:552
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\hn0zvhvc.fnn\mac.bat" "
  2⤵
  PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:2420
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 6A88007B7E5B /f
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:2352
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:3132
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" int ip reset
  2⤵
  PID:4332
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO021A4718\cleaner.bat

Filesize
371KB

MD5
d4a755cf4816c251a2c08548301ab6d1

SHA1
33c2b40ae11177fb116b361bffbc73690b668d73

SHA256
c1a955fd9a937afba415bc45f5b174254f708ac018321674c4967fd2d8afba4b

SHA512
860a3576184395d21df293c083c683807c584670149ce03570634494725dcaf914c8d7db24812c7aa6b29dfc04fb92b456676319c070a74a3d453c7014cf7828

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe

Filesize
5.1MB

MD5
2feca6c6065a51f8ce0fba51010c8e72

SHA1
533ecd7078632a162e7bf6444797a9495927e2da

SHA256
2508b00db8479ba856be5c395e2ae74d435e455202116cc1c3db69e771b416be

SHA512
cf8e34c2152219bb0b2a3dd5a71413db98418ab11f39d61bc859854166467289af02a95930bd29d01acd864dde03679d7f3ea05a7b0ad544a6c42bb4356cdeb3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
31a11aca174c90d6e017804c19cf7b29

SHA1
1166ed613190b3e3db8a59c17f1bf878ae7c8813

SHA256
86a0e37ef983523be551517dd53cee1b26aee988fb61badcbe2f2d41832eab8a

SHA512
3df7cbdd34a2e92d36f3beea9ae11f44a5fba794e0175f9c60e3671ce9c133d793a67eaad8d1d7ef5fa8c73114c81600a64d5a7022befd1c13a72cb6905c1e55

Download Submit
C:\Windows\hn0zvhvc.fnn\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\hn0zvhvc.fnn\kdmapper.exe

Filesize
140KB

MD5
33aa4f7f157634401b381a3328b11a8c

SHA1
50a65099f0f3bfee942d60d89c649ecd5724a48c

SHA256
180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311

SHA512
700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

Download Submit
C:\Windows\hn0zvhvc.fnn\mac.bat

Filesize
2KB

MD5
86630f471a1c7f40e8494347f9ab8249

SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460

SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c

SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Download Submit
C:\Windows\hn0zvhvc.fnn\zhjers.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
memory/744-36-0x00000000063E0000-0x00000000065D6000-memory.dmp

Filesize
2.0MB

Download
memory/4008-20-0x0000000000340000-0x000000000085E000-memory.dmp

Filesize
5.1MB

Download
memory/4008-21-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4008-22-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/4008-23-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download