cerber | 01a7f0b5b9e7da691d83e7c37b2e6a3803a5f1afe844cabcf1f2f793d7e69a66

Analysis

max time kernel
55s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2m9EebzOkbHURokfcBMtam2Hn.exe
Size

7.4MB
MD5

e0bb58d5850258392975b0e37001d00b
SHA1

85552711e0b75d3d11db9d67108462c16d25976a
SHA256

01a7f0b5b9e7da691d83e7c37b2e6a3803a5f1afe844cabcf1f2f793d7e69a66
SHA512

236ed37759edd5b031a50eef3fb0998fdc02aab9bd76044a27c31daaf3cd89e6e30d2c8e6427493feb618c5d0ee22db09a2a767a457841fdb1a0cffd71590848
SSDEEP

98304:SQUB/62k9Z8Lh7Pd8zSwyNY/Usnahy84YDzKrxXtYF1I42wq/HHv/dt6p:SQI/61ZSBuKYcsnahiU+Do121nv/dwp

Score

10^/10

cerber defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\storbus\ImagePath = "\\??\\C:\\Windows\\PLA\\storbus.sys"	sp.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 19 IoCs

pid	Process
2996	AppV.exe
2484	AppV.exe
2892	AppV.exe
1264	AppV.exe
1040	AppV.exe
4800	AppV.exe
2844	AppV.exe
1128	AppV.exe
5076	AppV.exe
2984	AppV.exe
2208	AppV.exe
4420	AppV.exe
2716	AppV.exe
4548	AppV.exe
2232	AppV.exe
2196	AppV.exe
4740	AppV.exe
3328	AppV.exe
3504	sp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\PLA\amide.sys	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\AppV.exe	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\sp.exe	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\spoofer.sys	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\storbus.sys	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\dvzde6fvjT.bat	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\amifldrv64.sys	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\6aPal03omI.bat	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\PLA\nS77rnA8cC.bat	2m9EebzOkbHURokfcBMtam2Hn.exe
File created	C:\Windows\2950800.txt	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3864	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2728	reg.exe
1408	reg.exe
5112	cmd.exe
2372	reg.exe
1592	reg.exe
4588	reg.exe
2208	reg.exe
1000	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1pTghz0JhHIeO"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "1pTghz0JhHIeO"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "1pTghz0JhHIeO"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe

Kills process with taskkill 33 IoCs

defense_evasion

pid	Process
2036	taskkill.exe
2972	taskkill.exe
1212	taskkill.exe
2196	taskkill.exe
4832	taskkill.exe
5104	taskkill.exe
3424	taskkill.exe
1324	taskkill.exe
4136	taskkill.exe
2892	taskkill.exe
3592	taskkill.exe
668	taskkill.exe
1392	taskkill.exe
3492	taskkill.exe
1440	taskkill.exe
2328	taskkill.exe
2212	taskkill.exe
2504	taskkill.exe
4472	taskkill.exe
5076	taskkill.exe
4756	taskkill.exe
4952	taskkill.exe
4652	taskkill.exe
3352	taskkill.exe
4320	taskkill.exe
624	taskkill.exe
3992	taskkill.exe
796	taskkill.exe
3868	taskkill.exe
1576	taskkill.exe
1784	taskkill.exe
1548	taskkill.exe
2676	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\MuiCache	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2168	reg.exe
1440	reg.exe
1600	reg.exe
3300	reg.exe
3328	reg.exe
4944	reg.exe
1448	reg.exe
4748	reg.exe
404	reg.exe
4112	reg.exe
3868	reg.exe
2332	reg.exe
1164	reg.exe
1572	reg.exe
4188	reg.exe
1612	reg.exe
4444	reg.exe
428	reg.exe
440	reg.exe
5104	reg.exe
2232	reg.exe
4440	reg.exe
2172	reg.exe
4108	reg.exe
3892	reg.exe
4856	reg.exe
2208	reg.exe
4228	reg.exe
4744	reg.exe
5008	reg.exe
692	reg.exe
3536	reg.exe
3300	reg.exe
4344	reg.exe
4688	reg.exe
4256	reg.exe
2384	reg.exe
3852	reg.exe
2132	reg.exe
1716	reg.exe
1008	reg.exe
2372	reg.exe
4808	reg.exe
916	reg.exe
804	reg.exe
2312	reg.exe
4124	reg.exe
1884	reg.exe
672	reg.exe
4304	reg.exe
4884	reg.exe
4752	reg.exe
1964	reg.exe
2184	reg.exe
764	reg.exe
1124	reg.exe
1028	reg.exe
2372	reg.exe
3904	reg.exe
384	reg.exe
1592	reg.exe
3524	reg.exe
1112	reg.exe
2972	reg.exe

Suspicious behavior: LoadsDriver 19 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
3504	sp.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3504	sp.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4584	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	84
PID 4780 wrote to memory of 4584	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	84
PID 4780 wrote to memory of 1648	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	85
PID 4780 wrote to memory of 1648	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	85
PID 4780 wrote to memory of 2144	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	86
PID 4780 wrote to memory of 2144	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	86
PID 2144 wrote to memory of 3300	2144	cmd.exe	87
PID 2144 wrote to memory of 3300	2144	cmd.exe	87
PID 4780 wrote to memory of 5112	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	88
PID 4780 wrote to memory of 5112	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	88
PID 5112 wrote to memory of 2372	5112	cmd.exe	89
PID 5112 wrote to memory of 2372	5112	cmd.exe	89
PID 4780 wrote to memory of 4744	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	90
PID 4780 wrote to memory of 4744	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	90
PID 4744 wrote to memory of 3328	4744	cmd.exe	91
PID 4744 wrote to memory of 3328	4744	cmd.exe	91
PID 4780 wrote to memory of 3504	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	92
PID 4780 wrote to memory of 3504	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	92
PID 3504 wrote to memory of 404	3504	cmd.exe	93
PID 3504 wrote to memory of 404	3504	cmd.exe	93
PID 4780 wrote to memory of 2172	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	94
PID 4780 wrote to memory of 2172	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	94
PID 2172 wrote to memory of 804	2172	cmd.exe	95
PID 2172 wrote to memory of 804	2172	cmd.exe	95
PID 4780 wrote to memory of 3312	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	96
PID 4780 wrote to memory of 3312	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	96
PID 3312 wrote to memory of 4112	3312	cmd.exe	97
PID 3312 wrote to memory of 4112	3312	cmd.exe	97
PID 4780 wrote to memory of 264	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	98
PID 4780 wrote to memory of 264	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	98
PID 264 wrote to memory of 4752	264	cmd.exe	99
PID 264 wrote to memory of 4752	264	cmd.exe	99
PID 4780 wrote to memory of 4844	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	100
PID 4780 wrote to memory of 4844	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	100
PID 4844 wrote to memory of 1964	4844	cmd.exe	101
PID 4844 wrote to memory of 1964	4844	cmd.exe	101
PID 4780 wrote to memory of 4924	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	102
PID 4780 wrote to memory of 4924	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	102
PID 4924 wrote to memory of 2184	4924	cmd.exe	103
PID 4924 wrote to memory of 2184	4924	cmd.exe	103
PID 4780 wrote to memory of 4324	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	104
PID 4780 wrote to memory of 4324	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	104
PID 4324 wrote to memory of 4344	4324	cmd.exe	105
PID 4324 wrote to memory of 4344	4324	cmd.exe	105
PID 4780 wrote to memory of 2992	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	106
PID 4780 wrote to memory of 2992	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	106
PID 2992 wrote to memory of 4944	2992	cmd.exe	107
PID 2992 wrote to memory of 4944	2992	cmd.exe	107
PID 4780 wrote to memory of 4956	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	108
PID 4780 wrote to memory of 4956	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	108
PID 4956 wrote to memory of 2312	4956	cmd.exe	109
PID 4956 wrote to memory of 2312	4956	cmd.exe	109
PID 4780 wrote to memory of 4500	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	110
PID 4780 wrote to memory of 4500	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	110
PID 4500 wrote to memory of 4124	4500	cmd.exe	111
PID 4500 wrote to memory of 4124	4500	cmd.exe	111
PID 4780 wrote to memory of 4060	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	112
PID 4780 wrote to memory of 4060	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	112
PID 4060 wrote to memory of 4108	4060	cmd.exe	113
PID 4060 wrote to memory of 4108	4060	cmd.exe	113
PID 4780 wrote to memory of 944	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	114
PID 4780 wrote to memory of 944	4780	2m9EebzOkbHURokfcBMtam2Hn.exe	114
PID 944 wrote to memory of 5008	944	cmd.exe	115
PID 944 wrote to memory of 5008	944	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2m9EebzOkbHURokfcBMtam2Hn.exe
"C:\Users\Admin\AppData\Local\Temp\2m9EebzOkbHURokfcBMtam2Hn.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d ReLm3zj8-8Nma-puM2-Veku-NTKHkePSrvAVp /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d ReLm3zj8-8Nma-puM2-Veku-NTKHkePSrvAVp /f
    3⤵
    - Modifies registry key
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d I5mivoLm-JSr4-b5ZR-6zav-P72h6evhsvPeS /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d I5mivoLm-JSr4-b5ZR-6zav-P72h6evhsvPeS /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry key
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d LjNRIj3E-AUGc-fP03-pGRi-1JBK3IBeeALjj /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d LjNRIj3E-AUGc-fP03-pGRi-1JBK3IBeeALjj /f
    3⤵
    - Modifies registry key
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {5PFOZ-20Jo0-HT4IA} /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {5PFOZ-20Jo0-HT4IA} /f
    3⤵
    - Modifies registry key
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 46eP5A0N1S2se /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 46eP5A0N1S2se /f
    3⤵
    - Modifies registry key
    PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Uh0f-Tzb53 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Uh0f-Tzb53 /f
    3⤵
    - Modifies registry key
    PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3196
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:4212
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Enumerates system info in registry
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:2628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  PID:3428
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {DpVNLD5RctiVb} /f
  2⤵
  PID:1228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {DpVNLD5RctiVb} /f
    3⤵
    - Modifies registry key
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3180
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:400
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3156
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3676
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:3888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 1pTghz0JhHIeO /f
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 1pTghz0JhHIeO /f
    3⤵
    - Modifies registry key
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /su AUTO
  2⤵
  PID:2936
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /su AUTO
    3⤵
    - Executes dropped EXE
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /bs %random%-%random%-%random%
  2⤵
  PID:2640
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /bs 16747-1684-5962
    3⤵
    - Executes dropped EXE
    PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /bv %random%-%random%-%random%
  2⤵
  PID:2368
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /bv 16747-1684-5962
    3⤵
    - Executes dropped EXE
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /bm %random%-%random%-%random%
  2⤵
  PID:2440
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /bm 16747-1684-5962
    3⤵
    - Executes dropped EXE
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /ss %random%-%random%-%random%
  2⤵
  PID:3192
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /ss 16747-1684-5962
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /id %random%-%random%-%random%
  2⤵
  PID:3132
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /id 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /iv %random%-%random%-%random%
  2⤵
  PID:464
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /iv 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /ivn %random%-%random%-%random%
  2⤵
  PID:668
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /ivn 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /cs %random%-%random%-%random%
  2⤵
  PID:2752
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /cs 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /sm %random%-%random%-%random%
  2⤵
  PID:436
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /sm 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /sp %random%-%random%-%random%
  2⤵
  PID:756
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /sp 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /psn %random%-%random%-%random%
  2⤵
  PID:4272
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /psn 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /ppn %random%-%random%-%random%
  2⤵
  PID:5092
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /ppn 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /sk %random%-%random%-%random%
  2⤵
  PID:4988
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /sk 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /sv %random%-%random%-%random%
  2⤵
  PID:916
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /sv 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /BLC %random%-%random%-%random%
  2⤵
  PID:1616
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /BLC 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /BT %random%-%random%-%random%
  2⤵
  PID:1840
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /BT 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\AppV.exe /SF %random%-%random%-%random%
  2⤵
  PID:5112
- - C:\Windows\PLA\AppV.exe
    C:\Windows\PLA\AppV.exe /SF 16750-12432-23826
    3⤵
    - Executes dropped EXE
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\sp.exe C:\Windows\PLA\storbus.sys C:\Windows\PLA\spoofer.sys
  2⤵
  PID:404
- - C:\Windows\PLA\sp.exe
    C:\Windows\PLA\sp.exe C:\Windows\PLA\storbus.sys C:\Windows\PLA\spoofer.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\dvzde6fvjT.bat
  2⤵
  PID:1964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:384
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:3428
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:4808
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:2884
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 16757-1161 /f
    3⤵
    - Modifies registry key
    PID:3868
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 26786-5830 /f
    3⤵
    - Modifies registry key
    PID:4856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac5569} /f
    3⤵
    - Modifies registry key
    PID:1592
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29329-11530-12368-24093-32455} /f
    3⤵
    - Modifies registry key
    PID:5104
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {27590-4167-5883-16940-28384} /f
    3⤵
    - Modifies registry key
    PID:1164
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 22876-5586 /f
    3⤵
    - Modifies registry key
    PID:4748
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 17316-19391 /f
    3⤵
    - Modifies registry key
    PID:2384
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 3372-20571 /f
    3⤵
    - Modifies registry key
    PID:1008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29271-1016-31173-9216-8024 /f
    3⤵
    PID:3140
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 10343-8294-12690-14981-12927 /f
    3⤵
    - Modifies registry key
    PID:3524
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 31111-8506-22190-2014 /f
    3⤵
    - Modifies registry key
    PID:1884
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 14873 /f
    3⤵
    - Modifies registry key
    PID:1572
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {25266-14585-23588-32271} /f
    3⤵
    - Modifies registry key
    PID:1112
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:3232
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:2020
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:692
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:3616
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f
    3⤵
    PID:4252
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
    3⤵
    PID:3132
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 15796 /f
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 30596 /f
    3⤵
    PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d ---- /f
    3⤵
    PID:2776
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 25862-31773-18099-27469-5278 /f
    3⤵
    - Modifies registry key
    PID:672
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 9920-3018-31055-19973-24190 /f
    3⤵
    - Modifies registry key
    PID:2972
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 3570-30446 /f
    3⤵
    - Modifies registry key
    PID:1028
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 18468 /f
    3⤵
    - Modifies registry key
    PID:2208
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 6511-23159-11669-4807 /f
    3⤵
    PID:756
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS9212 /f
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 22701-16798 /f
    3⤵
    - Modifies registry key
    PID:4304
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS29171 /f
    3⤵
    - Modifies registry key
    PID:4188
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 24295-8159 /f
    3⤵
    - Modifies registry key
    PID:1600
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 114 /f
    3⤵
    - Modifies registry key
    PID:1612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 890-7820 /f
    3⤵
    - Modifies registry key
    PID:3536
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 27016 /f
    3⤵
    - Modifies registry key
    PID:4884
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23025-25292 /f
    3⤵
    - Modifies registry key
    PID:2232
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {3942-29637-2324-16144-17364} /f
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {26635-12240-6004-20253-6677} /f
    3⤵
    - Modifies registry key
    PID:4228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {27198-s4545-4530-13089-7418} /f
    3⤵
    - Modifies registry key
    PID:4440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac7986} /f
    3⤵
    - Modifies registry key
    PID:2372
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {fefefee6836-7516-713-25478} /f
    3⤵
    - Modifies registry key
    PID:4444
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 17078 /f
    3⤵
    - Modifies registry key
    PID:4744
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 17307 /f
    3⤵
    - Modifies registry key
    PID:2168
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 15742 /f
    3⤵
    - Modifies registry key
    PID:3300
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 4692 /f
    3⤵
    - Modifies registry key
    PID:3904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {25540-31051-28190-13983-21156} /f
    3⤵
    - Modifies registry key
    PID:2172
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:2544
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:3504
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:1244
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    - Checks processor information in registry
    PID:2036
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:724
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:796
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:384
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:3428
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
    3⤵
    PID:4808
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:2884
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
    3⤵
    PID:3868
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1592
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:1164
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3140
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:3524
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:1884
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:2340
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:3232
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:692
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:3616
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:4252
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:3132
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2856
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:2776
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:672
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:2972
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:1028
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2208
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:756
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1612
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:4884
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:2372
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4744
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:3300
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2544
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:3504
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:1244
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:724
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:796
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:384
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:3428
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:4808
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:2884
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:3868
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:1592
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:1164
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f
    3⤵
    PID:3140
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:3524
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:1884
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
    3⤵
    PID:2340
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:3232
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:692
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4800
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-gamebarservices\AppXm8fs0gj5h36ynw4kq0x3gqnz6ecr1kvy\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe: (NULL!)" /f
    3⤵
    PID:4252
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:3132
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices\ACID: "App.AppXe655y38cadddpg1xd2b5k915wndhg5gm.mca"" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe\LastDetectionTime: F9 8F FD B6 8D 13 D5 01" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4588
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
    3⤵
    PID:2856
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f
    3⤵
    PID:3976
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2C 0C CE 2A E" /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    reg delete "8 F3 66 B9 86 13 95 5D 1A 40 0A 7F 52 A9 BA B2 23 04 83 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 38 B0 4E D5 42 5B 15 DF 75 ED 77 00 0E 5B 16 73 C1 5E D2 AF 68 BF 75 AD 38 35 1D 6A 1E 9A 12 F7 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 AF 37 E5 A2 58 AD 48 66 53 E6 1F 53 B9 42 0E EA 34 9C E5 B6 48 3A DB 78 9F 5C A7 33 FE 7E 97 1A 01 08 00 00 00 00 00 0F 03 00 00 00 CC 77 B2 6C CA 01 58 51 6A 28 60 81 E1 F6 0B 69 78 9C FE 8E 66 F8 8F CE 29 11 79 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f
    3⤵
    PID:624
- - C:\Windows\system32\reg.exe
    reg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\ApplicationFlags: 0x00000000" /f
    3⤵
    PID:2716
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
    3⤵
    PID:1176
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
    3⤵
    PID:1384
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
    3⤵
    PID:916
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:5000
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
    3⤵
    PID:3556
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
    3⤵
    PID:3612
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
    3⤵
    PID:3552
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
    3⤵
    PID:804
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:3648
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
    3⤵
    PID:232
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:4924
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
    3⤵
    PID:412
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
    3⤵
    PID:3388
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
    3⤵
    PID:1448
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
    3⤵
    PID:1464
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:548
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
    3⤵
    PID:824
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
    3⤵
    PID:2568
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
    3⤵
    PID:4724
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
    3⤵
    PID:1628
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
    3⤵
    PID:3932
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:2744
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:2708
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
    3⤵
    PID:3544
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
    3⤵
    PID:3176
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
    3⤵
    PID:3660
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:4832
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1096
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
    3⤵
    PID:3316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
    3⤵
    PID:4516
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
    3⤵
    PID:1156
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
    3⤵
    PID:348
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
    3⤵
    PID:1184
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
    3⤵
    PID:4652
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
    3⤵
    PID:468
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
    3⤵
    PID:856
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
    3⤵
    PID:1116
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
    3⤵
    PID:1860
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
    3⤵
    PID:2020
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f
    3⤵
    PID:4868
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f
    3⤵
    PID:3944
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f
    3⤵
    PID:976
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml"" /f
    3⤵
    PID:4864
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\LastReturnValue: 0x00000000" /f
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\NumberOfAttempts: 0x00000001" /f
    3⤵
    PID:4900
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml"" /f
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\Path: "C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe\AppxManifest.xml"" /f
    3⤵
    PID:4828
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:3652
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:3828
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Google\Update\UsageStats\Daily\Counts\cup_ecdsa_http_failure: 01 00 00 00 00 00 00 00" /f
    3⤵
    PID:2520
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\AppPackageType: 0x00000000" /f
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\PackageSid: "S-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
    3⤵
    PID:3616
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\EnterpriseID: 0x00000000" /f
    3⤵
    PID:2676
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\CapSids: 0A 00 00 00 01 02 00 00 00 00 00 0F 03 00 00 00 01 00 00 00 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E8 41 FE 65 15 CB 86 8E 43 2C E1 30 42 2A B3 51 4E 9C 0E 17 B4 1B 89 09 98 DA 44 8D 13 6A 0C B3 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 E4 29 72 AE 52 A9 2E 19 C4 FB 6C 51 9E 00 25 50 5B 64 A6 6F A4 D2 D0 57 D2 DB D7 37 F2 B0 85 AC 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0B 44 35 CF 44 6C 30 B5 4C 90 DA 15 DB 4C 09 94 5A 08 A5 69 F0 DC C5 65 02 4A 7B B9 A8 2C DA C2 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 3C DA 35 57 2A 15 FA C8 02 C1 BC 52 65 2B D8 EC C8 8E 72 9B 62 79 A8 20 65 1E 06 07 AF 02 70 0C 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 CE 22 45 27 27 B8 EA 12 11 8A 20 EF 09 19 FD 6B B8 B4 A0 D6 03 10 5B DD D6 CF 74 85 60 22 D2 CD 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 0A D5 CA 1A 96 05 1C F5 5E 2" /f
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    reg delete "C 0C CE 2A E8 F3 66 B9 86 13 95 5D 1A 40 0A 7F 52 A9 BA B2 23 04 83 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 38 B0 4E D5 42 5B 15 DF 75 ED 77 00 0E 5B 16 73 C1 5E D2 AF 68 BF 75 AD 38 35 1D 6A 1E 9A 12 F7 01 0A 00 00 00 00 00 0F 03 00 00 00 00 04 00 00 AF 37 E5 A2 58 AD 48 66 53 E6 1F 53 B9 42 0E EA 34 9C E5 B6 48 3A DB 78 9F 5C A7 33 FE 7E 97 1A 01 08 00 00 00 00 00 0F 03 00 00 00 CC 77 B2 6C CA 01 58 51 6A 28 60 81 E1 F6 0B 69 78 9C FE 8E 66 F8 8F CE 29 11 79 DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg delete " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" /f
    3⤵
    PID:1512
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\ApplicationFlags: 0x00000000" /f
    3⤵
    PID:1128
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
    3⤵
    PID:1632
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1460
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:4756
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:3764
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:2972
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:640
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2208
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    PID:1636
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1000
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
    3⤵
    PID:4548
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
    3⤵
    PID:4988
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
    3⤵
    PID:4584
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
    3⤵
    PID:3808
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
    3⤵
    PID:3980
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
    3⤵
    PID:964
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
    3⤵
    PID:4740
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2500
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:5112
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2728
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1408
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f
    3⤵
    PID:2772
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f
    3⤵
    PID:2184
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
    3⤵
    PID:4460
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
    3⤵
    PID:3476
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
    3⤵
    PID:244
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
    3⤵
    PID:3196
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
    3⤵
    PID:4316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
    3⤵
    PID:552
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\: "{2}.\\?\hdaudio#func_01
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\6aPal03omI.bat
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\PLA\nS77rnA8cC.bat
  2⤵
  - Drops file in Windows directory
  PID:3544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im smartscreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnf.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DNF.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CrossProxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tensafe_1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TenSafe_1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tensafe_2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tencentdl.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TenioDL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im uishell.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BackgroundDownloader.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im conime.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im QQDL.EXE
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im qqlogin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnfchina.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnfchinatest.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnf.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im txplatform.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TXPlatform.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelperService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginClientService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginER.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginThinSetupInternal.exe
    3⤵
    - Kills process with taskkill
    PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginLegacyCLI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Agent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Client.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\sc.exe
    Sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:3864
- - C:\Windows\system32\rundll32.exe
    RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    PID:1840
  - - C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
      4⤵
      Modifies registry class
      PID:3468
- - C:\Windows\system32\netsh.exe
    netsh interface set interface "Local Area Connection" disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PLA\6aPal03omI.bat

Filesize
39KB

MD5
a781eee0a11409d7fcc2dccbd08bd128

SHA1
da92d3f3b4bbbec7d087525ad3c6c6a913e235a0

SHA256
f23883a8f2df39a9984c2f22f0046f777cc51240e949dc90572ffa6b136b5755

SHA512
2b8dc49d6e97bc7acedabf4ff1703d95d7a0e47ee3d0a96e3bc459f4b061bb40708545c3648910f26efb9676f84156c6aa7be1e18164564e77fc342c98bc9c5f

Download Submit
C:\Windows\PLA\AppV.exe

Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
C:\Windows\PLA\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Windows\PLA\dvzde6fvjT.bat

Filesize
162KB

MD5
8c3967f9be32e3f7d07ee878e1794c13

SHA1
4b0d632fd8f3d30147f4a5721e6fdfb0b0b470b7

SHA256
11699f90d4533162a3b7ad620b61a9745a9a06989c3b93b217cd10dec64fb0ad

SHA512
55519fabada9285bd96d043f3128a6ed4dffad624359c47b27342fe63e0e6f24d9cd35f1a7488da627f68146d4d803ee1e4e946384f62f5a1c32c4599d2ff9d4

Download Submit
C:\Windows\PLA\nS77rnA8cC.bat

Filesize
81KB

MD5
832379eb54407b25c8a2c36dc79b1d79

SHA1
58b8c47bd390a50ed57d1666854592a794160079

SHA256
1bef2c5582bc048f72aec55b2a975db22fbb3992511ebc1edfc8f88daed2989a

SHA512
5b2de157f9ed2f798b7b4a8f6de0bebe139025b004c806055915806a02549fa1bf5121e3af53fce3b0b5f5444c3412c9cc4e7c8d3169440b226a6d8e6ffb6b50

Download Submit
C:\Windows\PLA\sp.exe

Filesize
3.2MB

MD5
a0f7f907b04bb5da98982d5fa1760b6a

SHA1
b468a4ebce1f208f2fe970be4d7dcb46a6bd934d

SHA256
01bcfd00f8c32036b7820dce7b91a8d0d75e300e9758f27ea00a5e32312ba779

SHA512
ca6a5ab4d857f9b9383104e36c8235138e98143d67e773f33092f8d18f0931e695ff98b245bd97988e2c0494bb44be4f35bdb246aa0de89e62a4188785e9b09d

Download Submit
C:\Windows\PLA\spoofer.sys

Filesize
44KB

MD5
3578511a426aa8d72cdcd854783907f2

SHA1
600c04ce7ee31985fcc160b0e3e62afeb293e298

SHA256
3f13141c16baa7cbdcb6867c5caa39038bbc36d34dac5edadc0225ba22a0abc9

SHA512
e56dfcc9368769d6df779026eaed18cf34961b148378266dce7029af317e89ef0301f828e3a25d0f5b4892ebe3c9cf21dfe1a825e84509aa916fb44233632a6a

Download Submit
memory/3504-31-0x0000000140000000-0x00000001404D6000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads