cerber | 564f08ca2ad008e85407528f04e39b3087f53443c774be0898be735813d91f18

Resubmissions

10/03/2025, 18:41

250310-xbr8tavthz 10

10/03/2025, 18:22

250310-wz6wfatm19 10

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.1MB
MD5

2feca6c6065a51f8ce0fba51010c8e72
SHA1

533ecd7078632a162e7bf6444797a9495927e2da
SHA256

2508b00db8479ba856be5c395e2ae74d435e455202116cc1c3db69e771b416be
SHA512

cf8e34c2152219bb0b2a3dd5a71413db98418ab11f39d61bc859854166467289af02a95930bd29d01acd864dde03679d7f3ea05a7b0ad544a6c42bb4356cdeb3
SSDEEP

98304:nGCd7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KlRPJ:Gx+y4ihkl/Wo/afHPgRB

Score

10^/10

cerber discovery persistence ransomware

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hsnZDADteeVV\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hsnZDADteeVV"	kdmapper.exe

Executes dropped EXE 28 IoCs

pid	Process
2492	kdmapper.exe
2880	zhjers.exe
2796	zhjers.exe
2720	zhjers.exe
2772	zhjers.exe
2632	zhjers.exe
2704	zhjers.exe
2684	zhjers.exe
1196	zhjers.exe
536	zhjers.exe
1800	zhjers.exe
2064	zhjers.exe
1556	zhjers.exe
1192	zhjers.exe
2928	zhjers.exe
2016	zhjers.exe
2008	zhjers.exe
2984	zhjers.exe
2828	zhjers.exe
2368	zhjers.exe
2172	zhjers.exe
2156	zhjers.exe
448	zhjers.exe
320	zhjers.exe
1376	zhjers.exe
1124	zhjers.exe
1940	zhjers.exe
2580	zhjers.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	loader.exe
2900	cmd.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ppinptwz.oam\zhjers.exe	loader.exe
File created	C:\Windows\ppinptwz.oam\dvlwwwdrv64.sys	loader.exe
File created	C:\Windows\ppinptwz.oam\randomisershit.sys	loader.exe
File opened for modification	C:\Windows\ppinptwz.oam	loader.exe
File created	C:\Windows\ppinptwz.oam\cleaner.bat	loader.exe
File created	C:\Windows\ppinptwz.oam\AMIFLDRV64.SYS	loader.exe
File created	C:\Windows\ppinptwz.oam\kdmapper.exe	loader.exe
File created	C:\Windows\ppinptwz.oam\Volumeid.exe	loader.exe
File created	C:\Windows\ppinptwz.oam\mac.bat	loader.exe
File opened for modification	C:\Windows\ppinptwz.oam\mac.bat	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	loader.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
912	ipconfig.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
740	taskkill.exe
2456	taskkill.exe

Suspicious behavior: LoadsDriver 28 IoCs

pid	Process
2492	kdmapper.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe
Token: SeIncBasePriorityPrivilege	2564	loader.exe
Token: 33	2564	loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2492	2564	loader.exe	31
PID 2564 wrote to memory of 2492	2564	loader.exe	31
PID 2564 wrote to memory of 2492	2564	loader.exe	31
PID 2564 wrote to memory of 2492	2564	loader.exe	31
PID 2564 wrote to memory of 2900	2564	loader.exe	33
PID 2564 wrote to memory of 2900	2564	loader.exe	33
PID 2564 wrote to memory of 2900	2564	loader.exe	33
PID 2564 wrote to memory of 2900	2564	loader.exe	33
PID 2900 wrote to memory of 2880	2900	cmd.exe	35
PID 2900 wrote to memory of 2880	2900	cmd.exe	35
PID 2900 wrote to memory of 2880	2900	cmd.exe	35
PID 2900 wrote to memory of 2880	2900	cmd.exe	35
PID 2564 wrote to memory of 2200	2564	loader.exe	36
PID 2564 wrote to memory of 2200	2564	loader.exe	36
PID 2564 wrote to memory of 2200	2564	loader.exe	36
PID 2564 wrote to memory of 2200	2564	loader.exe	36
PID 2200 wrote to memory of 2796	2200	cmd.exe	38
PID 2200 wrote to memory of 2796	2200	cmd.exe	38
PID 2200 wrote to memory of 2796	2200	cmd.exe	38
PID 2200 wrote to memory of 2796	2200	cmd.exe	38
PID 2564 wrote to memory of 2668	2564	loader.exe	39
PID 2564 wrote to memory of 2668	2564	loader.exe	39
PID 2564 wrote to memory of 2668	2564	loader.exe	39
PID 2564 wrote to memory of 2668	2564	loader.exe	39
PID 2668 wrote to memory of 2720	2668	cmd.exe	41
PID 2668 wrote to memory of 2720	2668	cmd.exe	41
PID 2668 wrote to memory of 2720	2668	cmd.exe	41
PID 2668 wrote to memory of 2720	2668	cmd.exe	41
PID 2564 wrote to memory of 2656	2564	loader.exe	42
PID 2564 wrote to memory of 2656	2564	loader.exe	42
PID 2564 wrote to memory of 2656	2564	loader.exe	42
PID 2564 wrote to memory of 2656	2564	loader.exe	42
PID 2656 wrote to memory of 2772	2656	cmd.exe	44
PID 2656 wrote to memory of 2772	2656	cmd.exe	44
PID 2656 wrote to memory of 2772	2656	cmd.exe	44
PID 2656 wrote to memory of 2772	2656	cmd.exe	44
PID 2564 wrote to memory of 2748	2564	loader.exe	45
PID 2564 wrote to memory of 2748	2564	loader.exe	45
PID 2564 wrote to memory of 2748	2564	loader.exe	45
PID 2564 wrote to memory of 2748	2564	loader.exe	45
PID 2748 wrote to memory of 2632	2748	cmd.exe	47
PID 2748 wrote to memory of 2632	2748	cmd.exe	47
PID 2748 wrote to memory of 2632	2748	cmd.exe	47
PID 2748 wrote to memory of 2632	2748	cmd.exe	47
PID 2564 wrote to memory of 2648	2564	loader.exe	48
PID 2564 wrote to memory of 2648	2564	loader.exe	48
PID 2564 wrote to memory of 2648	2564	loader.exe	48
PID 2564 wrote to memory of 2648	2564	loader.exe	48
PID 2648 wrote to memory of 2704	2648	cmd.exe	50
PID 2648 wrote to memory of 2704	2648	cmd.exe	50
PID 2648 wrote to memory of 2704	2648	cmd.exe	50
PID 2648 wrote to memory of 2704	2648	cmd.exe	50
PID 2564 wrote to memory of 2804	2564	loader.exe	51
PID 2564 wrote to memory of 2804	2564	loader.exe	51
PID 2564 wrote to memory of 2804	2564	loader.exe	51
PID 2564 wrote to memory of 2804	2564	loader.exe	51
PID 2804 wrote to memory of 2684	2804	cmd.exe	53
PID 2804 wrote to memory of 2684	2804	cmd.exe	53
PID 2804 wrote to memory of 2684	2804	cmd.exe	53
PID 2804 wrote to memory of 2684	2804	cmd.exe	53
PID 2564 wrote to memory of 1804	2564	loader.exe	54
PID 2564 wrote to memory of 1804	2564	loader.exe	54
PID 2564 wrote to memory of 1804	2564	loader.exe	54
PID 2564 wrote to memory of 1804	2564	loader.exe	54

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\ppinptwz.oam\kdmapper.exe
  "C:\Windows\ppinptwz.oam\kdmapper.exe" C:\Windows\ppinptwz.oam\randomisershit.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SU auto
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SU auto
    3⤵
    - Executes dropped EXE
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SS "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SV "1.0"
    3⤵
    - Executes dropped EXE
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CM "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CM "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SP "MS-7D22"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SP "MS-7D22"
    3⤵
    - Executes dropped EXE
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /SF "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1104
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /SF "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
    3⤵
    - Executes dropped EXE
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BV "1.0"
    3⤵
    - Executes dropped EXE
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BLC "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BLC "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /PSN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /PSN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /PAT "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:268
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /PAT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /PPN "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /PPN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CSK "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CSK "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CS "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CS "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CV "1.0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CV "1.0"
    3⤵
    - Executes dropped EXE
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CM "Micro-Star International Co., Ltd."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:668
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CM "Micro-Star International Co., Ltd."
    3⤵
    - Executes dropped EXE
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CA "To Be Filled By O.E.M."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CA "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CO "0000 0000h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CO "0000 0000h"
    3⤵
    - Executes dropped EXE
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /CT "03h"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:696
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /CT "03h"
    3⤵
    - Executes dropped EXE
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /IV "3.80"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /IV "3.80"
    3⤵
    - Executes dropped EXE
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /IVN "American Megatrends International, LLC."
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /IVN "American Megatrends International, LLC."
    3⤵
    - Executes dropped EXE
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Windows\ppinptwz.oam\zhjers.exe /BS "%random%%random%%random%%random%%random%"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:880
- - C:\Windows\ppinptwz.oam\zhjers.exe
    C:\Windows\ppinptwz.oam\zhjers.exe /BS "269251624583551419620639"
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\ppinptwz.oam\cleaner.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Steam.exe" /t /fi "status eq running"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2456
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:304
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:960
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Electronic Arts" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin" /f
    3⤵
    PID:980
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\origin2" /f
    3⤵
    PID:580
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCR\Applications\Origin.exe" /f
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:956
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:584
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:388
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:536
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:688
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:272
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f
    3⤵
    PID:668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f
    3⤵
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 30 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 7E 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageFamily: 0x0000004E" /f
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageType: 0x00000001" /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Flags: 0x00000000" /f
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\PackageOrigin: 0x00000003" /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\Volume: 0x00000001" /f
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 31 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 78 36 34 5F 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageFamily: 0x0000004E" /f
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageType: 0x00000004" /f
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Flags: 0x00000000" /f
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\PackageOrigin: 0x00000003" /f
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\Volume: 0x00000001" /f
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182\_IndexKeys: 50 61 63 6B 61 67 65 46 61 6D 69 6C 79 5C 34 65 5C 31 38 32 00 50 61 63 6B 61 67 65 46 75 6C 6C 4E 61 6D 65 5C 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 31 2E 34 31 2E 32 34 30 30 31 2E 30 5F 6E 65 75 74 72 61 6C 5F 73 70 6C 69 74 2E 73 63 61 6C 65 2D 31 30 30 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\Package: 0x00000180" /f
    3⤵
    PID:800
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\User: 0x00000003" /f
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 30 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 30 00 00" /f
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\Package: 0x00000181" /f
    3⤵
    PID:304
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\User: 0x00000003" /f
    3⤵
    PID:960
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 31 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 31 00 00" /f
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\Package: 0x00000182" /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\User: 0x00000003" /f
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82\_IndexKeys: 55 73 65 72 5C 33 5C 31 61 38 32 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 33 5E 31 38 32 00 00" /f
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\Package: 0x00000180" /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\User: 0x00000004" /f
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 33 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 30 00 00" /f
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\Package: 0x00000181" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\User: 0x00000004" /f
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84\_IndexKeys: 55 73 65 72 5C 34 5C 31 61 38 34 00 55 73 65 72 41 6E 64 50 61 63 6B 61 67 65 5C 34 5E 31 38 31 00 00" /f
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3D39855: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3CF4055: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 04 00 00 00" /f
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\bam\State\UserType: 0x00000010" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862software: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_sid: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 2E 64 61 74 00 00" /f
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862user_classes: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 55 73 65 72 43 6C 61 73 73 65 73 2E 64 61 74 00 00" /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Siloe6b4a779-bfe1-62d8-47ac-fa19e9becbbecom: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 5F 43 4F 4D 31 35 2E 64 61 74 00 00" /f
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\hivelist\\REGISTRY\WC\Silo19faac47-bee9-becb-79a7-b4e6e1bfd862com: 5C 44 65 76 69 63 65 5C 48 61 72 64 64 69 73 6B 56 6F 6C 75 6D 65 33 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C 50 61 63 6B 61 67 65 73 5C 4D 69 63 72 6F 73 6F 66 74 2E 53 6B 79 70 65 41 70 70 5F 6B 7A 66 38 71 78 66 33 38 7A 67 35 63 5C 53 2D 31 2D 35 2D 32 31 2D 32 35 33 32 33 38 32 35 32 38 2D 35 38 31 32 31 34 38 33 34 2D 32 35 33 34 34 37 34 32 34 38 2D 31 30 30 31 5C 53 79 73 74 65 6D 41 70 70 44 61 74 61 5C 48 65 6C 69 75 6D 5C 43 61 63 68 65 5C 35 63 38 63 62 62 36 61 61 37 65 61 31 34 32 34 2E 64 61 74 00 00" /f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
    3⤵
    PID:336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:236
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:840
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:272
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\ppinptwz.oam\mac.bat" "
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\07
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\007
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 4EEC3AADBCC7 /f
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\07
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\007
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface set interface name="Local Area Connection" disable
    3⤵
    PID:2340
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:912
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" int ip reset
  2⤵
  PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1495841912-21318793395836501349221303943518375571628301164-1647223305845714722"
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ppinptwz.oam\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\ppinptwz.oam\cleaner.bat

Filesize
371KB

MD5
d4a755cf4816c251a2c08548301ab6d1

SHA1
33c2b40ae11177fb116b361bffbc73690b668d73

SHA256
c1a955fd9a937afba415bc45f5b174254f708ac018321674c4967fd2d8afba4b

SHA512
860a3576184395d21df293c083c683807c584670149ce03570634494725dcaf914c8d7db24812c7aa6b29dfc04fb92b456676319c070a74a3d453c7014cf7828

Download Submit
C:\Windows\ppinptwz.oam\mac.bat

Filesize
2KB

MD5
86630f471a1c7f40e8494347f9ab8249

SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460

SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c

SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Download Submit
\Windows\ppinptwz.oam\kdmapper.exe

Filesize
140KB

MD5
33aa4f7f157634401b381a3328b11a8c

SHA1
50a65099f0f3bfee942d60d89c649ecd5724a48c

SHA256
180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311

SHA512
700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

Download Submit
\Windows\ppinptwz.oam\zhjers.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
memory/1724-75-0x0000000077970000-0x0000000077A6A000-memory.dmp

Filesize
1000KB

Download
memory/1724-74-0x0000000077850000-0x000000007796F000-memory.dmp

Filesize
1.1MB

Download
memory/1724-64-0x0000000077850000-0x000000007796F000-memory.dmp

Filesize
1.1MB

Download
memory/1724-65-0x0000000077970000-0x0000000077A6A000-memory.dmp

Filesize
1000KB

Download
memory/2564-4-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-21-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-20-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-13-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2564-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2564-3-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-2-0x00000000053E0000-0x00000000055D6000-memory.dmp

Filesize
2.0MB

Download
memory/2564-1-0x0000000000F10000-0x000000000142E000-memory.dmp

Filesize
5.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads