Malware Analysis Report

2025-01-02 14:57

Sample ID 241125-a4xbxavkcq
Target NkPrivateSpoofer.zip
SHA256 a563e7ac52ec2d7d734d61662bcc054860e39572db91d4482b237f6472d85f3d
Tags
cerber discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a563e7ac52ec2d7d734d61662bcc054860e39572db91d4482b237f6472d85f3d

Threat Level: Known bad

The file NkPrivateSpoofer.zip was found to be: Known bad.

Malicious Activity Summary

cerber discovery persistence ransomware

Cerber

Cerber family

Drops file in Drivers directory

Sets service image path in registry

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 00:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 00:46

Reported

2024-11-25 00:53

Platform

win10v2004-20241007-en

Max time kernel

179s

Max time network

163s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NkPrivateSpoofer.zip"

Signatures

Cerber

ransomware cerber
Description Indicator Process Target
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A

Cerber family

cerber

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hVQlBSUuZx\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hVQlBSUuZx" C:\Windows\hn0zvhvc.fnn\kdmapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\kdmapper.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A
N/A N/A C:\Windows\hn0zvhvc.fnn\zhjers.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\hn0zvhvc.fnn\mac.bat C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\kdmapper.exe C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\Volumeid.exe C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\zhjers.exe C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\AMIFLDRV64.SYS C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\dvlwwwdrv64.sys C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\randomisershit.sys C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File opened for modification C:\Windows\hn0zvhvc.fnn C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File opened for modification C:\Windows\hn0zvhvc.fnn\mac.bat C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
File created C:\Windows\hn0zvhvc.fnn\cleaner.bat C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\hn0zvhvc.fnn\kdmapper.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 3668 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 3668 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3668 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3668 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3668 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3668 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4384 wrote to memory of 4008 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe
PID 4384 wrote to memory of 4008 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe
PID 4384 wrote to memory of 4008 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe
PID 4384 wrote to memory of 868 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe
PID 4384 wrote to memory of 868 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe
PID 4384 wrote to memory of 868 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe
PID 744 wrote to memory of 2488 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\hn0zvhvc.fnn\kdmapper.exe
PID 744 wrote to memory of 2488 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\hn0zvhvc.fnn\kdmapper.exe
PID 744 wrote to memory of 5092 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5092 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5092 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 5092 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 744 wrote to memory of 2424 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 2424 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 2424 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 2424 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 744 wrote to memory of 4452 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4452 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4452 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 4452 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\hn0zvhvc.fnn\zhjers.exe
PID 744 wrote to memory of 1736 N/A C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NkPrivateSpoofer.zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO021A4718\cleaner.bat" "

C:\Windows\system32\taskkill.exe

taskkill /f /im "Steam.exe" /t /fi "status eq running"

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running

C:\Windows\system32\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f

C:\Windows\system32\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\system32\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe

"C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1048

C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe

"C:\Users\Admin\AppData\Local\Temp\7zO02136CA8\loader.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 868 -ip 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1052

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe

"C:\Users\Admin\Documents\NkPrivateSpoofer\NkPrivateSpoofer\loader.exe"

C:\Windows\hn0zvhvc.fnn\kdmapper.exe

"C:\Windows\hn0zvhvc.fnn\kdmapper.exe" C:\Windows\hn0zvhvc.fnn\randomisershit.sys

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SU auto

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SU auto

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SV "1.0"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SP "MS-7D22"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SP "MS-7D22"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BV "1.0"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CV "1.0"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CO "0000 0000h"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CO "0000 0000h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /CT "03h"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /CT "03h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /IV "3.80"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /IV "3.80"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\hn0zvhvc.fnn\zhjers.exe /BS "%random%%random%%random%%random%%random%"

C:\Windows\hn0zvhvc.fnn\zhjers.exe

C:\Windows\hn0zvhvc.fnn\zhjers.exe /BS "10559190572717492916524"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\hn0zvhvc.fnn\cleaner.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "Steam.exe" /t /fi "status eq running"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\hn0zvhvc.fnn\mac.bat" "

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" int ip reset

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 6A88007B7E5B /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\SysWOW64\netsh.exe

netsh interface set interface name="Ethernet" disable

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zO021A4718\cleaner.bat

MD5 d4a755cf4816c251a2c08548301ab6d1
SHA1 33c2b40ae11177fb116b361bffbc73690b668d73
SHA256 c1a955fd9a937afba415bc45f5b174254f708ac018321674c4967fd2d8afba4b
SHA512 860a3576184395d21df293c083c683807c584670149ce03570634494725dcaf914c8d7db24812c7aa6b29dfc04fb92b456676319c070a74a3d453c7014cf7828

C:\Users\Admin\AppData\Local\Temp\7zO021B2D38\loader.exe

MD5 2feca6c6065a51f8ce0fba51010c8e72
SHA1 533ecd7078632a162e7bf6444797a9495927e2da
SHA256 2508b00db8479ba856be5c395e2ae74d435e455202116cc1c3db69e771b416be
SHA512 cf8e34c2152219bb0b2a3dd5a71413db98418ab11f39d61bc859854166467289af02a95930bd29d01acd864dde03679d7f3ea05a7b0ad544a6c42bb4356cdeb3

memory/4008-20-0x0000000000340000-0x000000000085E000-memory.dmp

memory/4008-21-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/4008-22-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/4008-23-0x00000000052F0000-0x00000000052FA000-memory.dmp

memory/744-36-0x00000000063E0000-0x00000000065D6000-memory.dmp

C:\Windows\hn0zvhvc.fnn\kdmapper.exe

MD5 33aa4f7f157634401b381a3328b11a8c
SHA1 50a65099f0f3bfee942d60d89c649ecd5724a48c
SHA256 180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311
SHA512 700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

C:\Windows\hn0zvhvc.fnn\zhjers.exe

MD5 f17ecf761e70feb98c7f628857eedfe7
SHA1 b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512 e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

C:\Windows\hn0zvhvc.fnn\amifldrv64.sys

MD5 f22740ba54a400fd2be7690bb204aa08
SHA1 5812387783d61c6ab5702213bb968590a18065e3
SHA256 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512 ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

C:\Windows\System32\drivers\etc\hosts

MD5 31a11aca174c90d6e017804c19cf7b29
SHA1 1166ed613190b3e3db8a59c17f1bf878ae7c8813
SHA256 86a0e37ef983523be551517dd53cee1b26aee988fb61badcbe2f2d41832eab8a
SHA512 3df7cbdd34a2e92d36f3beea9ae11f44a5fba794e0175f9c60e3671ce9c133d793a67eaad8d1d7ef5fa8c73114c81600a64d5a7022befd1c13a72cb6905c1e55

C:\Windows\hn0zvhvc.fnn\mac.bat

MD5 86630f471a1c7f40e8494347f9ab8249
SHA1 10a2139adfb884f01799de89bf9b9ccb2a8bb460
SHA256 c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c
SHA512 666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369