purecrypter | 2deae5346696feed6b2cce57eb002e5fac09734e8a0e888cba0935d00d50036e

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRODUCT_Panty_Poof.rar
Size

343KB
MD5

6239eb34bd68418e0875367464ad42c3
SHA1

65a6c0afd708b904c2448f54017a461862c5b019
SHA256

2deae5346696feed6b2cce57eb002e5fac09734e8a0e888cba0935d00d50036e
SHA512

557a3e1c98406aec969f34d43d7bf73f90de0bbbb945c004060ee3bf012c64aa803572eb389a4f46a1f9cdeda794622e3e3c2188e8d05330d186aeb92dc33a50
SSDEEP

6144:CYW9DP5pSgVlCOhNImhtRJY/NP5Mp3cN3znVHRysAMROxgh/APL+ER6CkXFSKqWW:+9DP58gvCOhSmhu/NP55dlnjRKgWL+E1

Score

10^/10

purecrypter downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

https://cdn.discordapp.com/attachments/997814360636391555/1031517343848878110/Tptzutsjt.jpeg

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
3048	SPOOFER LOADER.exe
1800	spooferhandler.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	7zFM.exe
748	Process not Found
3064	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\accessibility.dll	SPOOFER LOADER.exe
File created	C:\Windows\System32\amigendrv64.sys	SPOOFER LOADER.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~4.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~2.BLF	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~1.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~2.REG	cmd.exe
File created	C:\Windows\System32\AppVDll.exe	SPOOFER LOADER.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~3.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{0B82E~1.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~1.BLF	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\VPO.exe	SPOOFER LOADER.exe
File created	C:\Windows\apppatch\Custom\e.bat	SPOOFER LOADER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Modifies registry key 1 TTPs 38 IoCs

Modify Registry

T1112

pid	Process
1724	reg.exe
2728	reg.exe
2100	reg.exe
564	reg.exe
3020	reg.exe
2924	reg.exe
2884	reg.exe
1008	reg.exe
2640	reg.exe
2900	reg.exe
3024	reg.exe
936	reg.exe
3064	reg.exe
1952	reg.exe
2428	reg.exe
3052	reg.exe
2276	reg.exe
2920	reg.exe
3040	reg.exe
2284	reg.exe
2580	reg.exe
1808	reg.exe
2132	reg.exe
2492	reg.exe
2080	reg.exe
928	reg.exe
2396	reg.exe
2668	reg.exe
2784	reg.exe
1812	reg.exe
2004	reg.exe
2852	reg.exe
2548	reg.exe
2340	reg.exe
2556	reg.exe
2604	reg.exe
1804	reg.exe
3036	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	7zFM.exe
2680	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	7zFM.exe
Token: 35	2680	7zFM.exe
Token: SeSecurityPrivilege	2680	7zFM.exe
Token: SeSecurityPrivilege	2680	7zFM.exe
Token: SeSecurityPrivilege	2680	7zFM.exe
Token: SeDebugPrivilege	1800	spooferhandler.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2680	7zFM.exe
2680	7zFM.exe
2680	7zFM.exe
2680	7zFM.exe
2680	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2680	2356	cmd.exe	29
PID 2356 wrote to memory of 2680	2356	cmd.exe	29
PID 2356 wrote to memory of 2680	2356	cmd.exe	29
PID 2680 wrote to memory of 2848	2680	7zFM.exe	30
PID 2680 wrote to memory of 2848	2680	7zFM.exe	30
PID 2680 wrote to memory of 2848	2680	7zFM.exe	30
PID 2680 wrote to memory of 2572	2680	7zFM.exe	33
PID 2680 wrote to memory of 2572	2680	7zFM.exe	33
PID 2680 wrote to memory of 2572	2680	7zFM.exe	33
PID 2680 wrote to memory of 3048	2680	7zFM.exe	35
PID 2680 wrote to memory of 3048	2680	7zFM.exe	35
PID 2680 wrote to memory of 3048	2680	7zFM.exe	35
PID 3048 wrote to memory of 564	3048	SPOOFER LOADER.exe	36
PID 3048 wrote to memory of 564	3048	SPOOFER LOADER.exe	36
PID 3048 wrote to memory of 564	3048	SPOOFER LOADER.exe	36
PID 3048 wrote to memory of 3020	3048	SPOOFER LOADER.exe	37
PID 3048 wrote to memory of 3020	3048	SPOOFER LOADER.exe	37
PID 3048 wrote to memory of 3020	3048	SPOOFER LOADER.exe	37
PID 3048 wrote to memory of 3008	3048	SPOOFER LOADER.exe	38
PID 3048 wrote to memory of 3008	3048	SPOOFER LOADER.exe	38
PID 3048 wrote to memory of 3008	3048	SPOOFER LOADER.exe	38
PID 3048 wrote to memory of 3064	3048	SPOOFER LOADER.exe	39
PID 3048 wrote to memory of 3064	3048	SPOOFER LOADER.exe	39
PID 3048 wrote to memory of 3064	3048	SPOOFER LOADER.exe	39
PID 3064 wrote to memory of 1800	3064	cmd.exe	40
PID 3064 wrote to memory of 1800	3064	cmd.exe	40
PID 3064 wrote to memory of 1800	3064	cmd.exe	40
PID 3048 wrote to memory of 1028	3048	SPOOFER LOADER.exe	41
PID 3048 wrote to memory of 1028	3048	SPOOFER LOADER.exe	41
PID 3048 wrote to memory of 1028	3048	SPOOFER LOADER.exe	41
PID 3048 wrote to memory of 1980	3048	SPOOFER LOADER.exe	43
PID 3048 wrote to memory of 1980	3048	SPOOFER LOADER.exe	43
PID 3048 wrote to memory of 1980	3048	SPOOFER LOADER.exe	43
PID 3048 wrote to memory of 1748	3048	SPOOFER LOADER.exe	45
PID 3048 wrote to memory of 1748	3048	SPOOFER LOADER.exe	45
PID 3048 wrote to memory of 1748	3048	SPOOFER LOADER.exe	45
PID 3048 wrote to memory of 1744	3048	SPOOFER LOADER.exe	46
PID 3048 wrote to memory of 1744	3048	SPOOFER LOADER.exe	46
PID 3048 wrote to memory of 1744	3048	SPOOFER LOADER.exe	46
PID 3048 wrote to memory of 1644	3048	SPOOFER LOADER.exe	49
PID 3048 wrote to memory of 1644	3048	SPOOFER LOADER.exe	49
PID 3048 wrote to memory of 1644	3048	SPOOFER LOADER.exe	49
PID 3048 wrote to memory of 2880	3048	SPOOFER LOADER.exe	50
PID 3048 wrote to memory of 2880	3048	SPOOFER LOADER.exe	50
PID 3048 wrote to memory of 2880	3048	SPOOFER LOADER.exe	50
PID 3048 wrote to memory of 1936	3048	SPOOFER LOADER.exe	53
PID 3048 wrote to memory of 1936	3048	SPOOFER LOADER.exe	53
PID 3048 wrote to memory of 1936	3048	SPOOFER LOADER.exe	53
PID 3048 wrote to memory of 1624	3048	SPOOFER LOADER.exe	55
PID 3048 wrote to memory of 1624	3048	SPOOFER LOADER.exe	55
PID 3048 wrote to memory of 1624	3048	SPOOFER LOADER.exe	55
PID 1624 wrote to memory of 1424	1624	cmd.exe	57
PID 1624 wrote to memory of 1424	1624	cmd.exe	57
PID 1624 wrote to memory of 1424	1624	cmd.exe	57
PID 1624 wrote to memory of 2512	1624	cmd.exe	58
PID 1624 wrote to memory of 2512	1624	cmd.exe	58
PID 1624 wrote to memory of 2512	1624	cmd.exe	58
PID 1624 wrote to memory of 1188	1624	cmd.exe	59
PID 1624 wrote to memory of 1188	1624	cmd.exe	59
PID 1624 wrote to memory of 1188	1624	cmd.exe	59
PID 1624 wrote to memory of 1508	1624	cmd.exe	62
PID 1624 wrote to memory of 1508	1624	cmd.exe	62
PID 1624 wrote to memory of 1508	1624	cmd.exe	62
PID 1624 wrote to memory of 1116	1624	cmd.exe	61

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PRODUCT_Panty_Poof.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PRODUCT_Panty_Poof.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO87A7ADA6\FULL SPOOFING INSTRUCTIONS.txt
    3⤵
    PID:2848
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO87A1E9D6\FASTEST SPOOFING METHOD FOR RAGING CHEATING REMOVES VAN152.txt
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\7zO87A3FE57\SPOOFER LOADER.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO87A3FE57\SPOOFER LOADER.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color F1
      4⤵
      PID:564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\ProgramData\spooferhandler.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\ProgramData\spooferhandler.exe
        
        C:\ProgramData\spooferhandler.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Riot Games\VALORANT\live\Manifest_DebugFiles_Win64.txt
      4⤵
      PID:1028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Riot Games\VALORANT\live\Manifest_NonUFSFiles_Win64.txt
      4⤵
      PID:1980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Local\IconCache.db
      4⤵
      PID:1748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Temp\*
      4⤵
      PID:1744
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Riot Games\*
      4⤵
      PID:1644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\UnrealEngine\*
      4⤵
      PID:2880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\.IdentityService\*
      4⤵
      PID:1936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Windows\apppatch\Custom\e.bat
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
        5⤵
        
        PID:1424
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
        5⤵
        
        PID:2512
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
        5⤵
        
        PID:1188
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
        5⤵
        
        PID:1244
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
        5⤵
        
        PID:1116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
        5⤵
        
        PID:1508
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
        5⤵
        
        PID:1092
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
        5⤵
        
        PID:1228
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
        5⤵
        
        PID:1236
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
        5⤵
        
        PID:1904
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\riotclient" /f
        5⤵
        
        PID:2484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:1716
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:2980
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
        5⤵
        
        PID:2972
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:2532
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:2536
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:2044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:2052
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:2500
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:536
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
        5⤵
        
        PID:268
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
        5⤵
        
        PID:776
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:584
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:596
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:576
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:1048
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:2828
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:1096
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:1472
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
        5⤵
        
        PID:1848
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:832
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:2188
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
        5⤵
        
        PID:1852
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
        5⤵
        
        PID:840
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
        5⤵
        
        PID:2524
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
        5⤵
        
        PID:900
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
        5⤵
        
        PID:1984
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
        5⤵
        
        PID:1720
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
        5⤵
        
        PID:444
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
        5⤵
        
        PID:2268
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
        5⤵
        
        PID:1148
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
        5⤵
        
        PID:2220
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
        5⤵
        
        PID:2336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:2392
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:2032
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
        5⤵
        
        PID:1864
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:1292
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:2200
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
        5⤵
        
        PID:1664
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:1548
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
        5⤵
        Checks processor information in registry
        
        PID:1536
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
        5⤵
        
        PID:1780
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
        5⤵
        
        PID:948
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
        5⤵
        
        PID:1392
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
        5⤵
        
        PID:760
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
        5⤵
        
        PID:1860
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
        5⤵
        
        PID:1912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
        5⤵
        
        PID:2208
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
        5⤵
        
        PID:1660
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
        5⤵
        
        PID:2776
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1916
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:916
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
        5⤵
        
        PID:932
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
        5⤵
        
        PID:1004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
        5⤵
        
        PID:556
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
        5⤵
        
        PID:684
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2480
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
        5⤵
        
        PID:2148
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
        5⤵
        
        PID:2472
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
        5⤵
        
        PID:1240
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
        5⤵
        
        PID:1316
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
        5⤵
        
        PID:2160
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
        5⤵
        
        PID:592
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
        5⤵
        
        PID:1044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
        5⤵
        
        PID:828
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
        5⤵
        
        PID:612
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
        5⤵
        
        PID:2320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
        5⤵
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
        5⤵
        
        PID:548
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
        5⤵
        
        PID:1700
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
        5⤵
        
        PID:2136
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
        5⤵
        
        PID:304
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
        5⤵
        
        PID:884
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
        5⤵
        
        PID:2444
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1500
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
        5⤵
        
        PID:2124
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1796
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
        5⤵
        
        PID:272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1184
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
        5⤵
        
        PID:2328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
        5⤵
        
        PID:1592
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
        5⤵
        
        PID:2424
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
        5⤵
        
        PID:320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
        5⤵
        
        PID:1704
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
        5⤵
        
        PID:2400
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
        5⤵
        
        PID:2316
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
        5⤵
        
        PID:2408
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
        5⤵
        
        PID:2888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
        5⤵
        
        PID:2892
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
        5⤵
        
        PID:2644
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
        5⤵
        
        PID:2660
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
        5⤵
        
        PID:2344
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
        5⤵
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
        5⤵
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
        5⤵
        
        PID:2740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
        5⤵
        
        PID:2412
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
        5⤵
        
        PID:2368
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
        5⤵
        
        PID:2496
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
        5⤵
        
        PID:2012
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
        5⤵
        
        PID:2000
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:2304
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2020
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2452
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1564
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
        5⤵
        
        PID:2772
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
        5⤵
        
        PID:2948
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
        5⤵
        
        PID:2832
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
        5⤵
        
        PID:2848
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
        5⤵
        
        PID:2552
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:2816
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:2576
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2060
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:2564
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:1016
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:764
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:1648
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
        5⤵
        
        PID:2164
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
        5⤵
        
        PID:2236
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
        5⤵
        
        PID:2176
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
        5⤵
        
        PID:2744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
        5⤵
        
        PID:2804
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
        5⤵
        
        PID:2936
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
        5⤵
        
        PID:2516
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
        5⤵
        
        PID:2456
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
        5⤵
        
        PID:2572
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
        5⤵
        
        PID:992
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
        5⤵
        
        PID:1296
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
        5⤵
        
        PID:3044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
        5⤵
        
        PID:2016
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
        5⤵
        
        PID:1956
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
        5⤵
        
        PID:2244
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
        5⤵
        
        PID:868
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
        5⤵
        
        PID:2600
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
        5⤵
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
        5⤵
        
        PID:2932
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
        5⤵
        
        PID:3028
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
        5⤵
        
        PID:2656
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
        5⤵
        
        PID:240
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
        5⤵
        
        PID:3008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
        5⤵
        
        PID:3068
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
        5⤵
        
        PID:2292
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
        5⤵
        
        PID:924
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
        5⤵
        
        PID:3056
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
        5⤵
        
        PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
        5⤵
        
        PID:2204
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
        5⤵
        
        PID:1988
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f
        5⤵
        
        PID:2588
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f
        5⤵
        
        PID:1972
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f
        5⤵
        
        PID:1036
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f
        5⤵
        
        PID:2768
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f
        5⤵
        
        PID:768
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
        5⤵
        
        PID:1028
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
        5⤵
        
        PID:1964
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
        5⤵
        
        PID:2792
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
        5⤵
        
        PID:2868
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
        5⤵
        
        PID:1980
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
        5⤵
        
        PID:348
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
        5⤵
        
        PID:288
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
        5⤵
        
        PID:1744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
        5⤵
        
        PID:2540
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
        5⤵
        
        PID:2652
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:2528
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:2912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2780
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:1572
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:1644
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2856
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:1612
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1584
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1936
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
        5⤵
        
        PID:1924
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
        5⤵
        
        PID:1752
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
        5⤵
        
        PID:2196
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
        5⤵
        
        PID:1248
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
        5⤵
        
        PID:1288
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
        5⤵
        
        PID:1264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
        5⤵
        
        PID:848
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
        5⤵
        
        PID:1428
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
        5⤵
        
        PID:2192
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
        5⤵
        
        PID:1684
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
        5⤵
        
        PID:2448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
        5⤵
        
        PID:2648
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
        5⤵
        
        PID:2960
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
        5⤵
        
        PID:2976
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
        5⤵
        
        PID:2968
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
        5⤵
        
        PID:2896
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
        5⤵
        
        PID:2072
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
        5⤵
        
        PID:844
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
        5⤵
        
        PID:1652
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
        5⤵
        
        PID:672
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
        5⤵
        
        PID:688
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
        5⤵
        
        PID:484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
        5⤵
        
        PID:872
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:996
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1476
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
        5⤵
        
        PID:1640
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
        5⤵
        
        PID:1468
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
        5⤵
        
        PID:2248
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
        5⤵
        
        PID:608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
        5⤵
        
        PID:1788
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
        5⤵
        
        PID:1772
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
        5⤵
        
        PID:560
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
        5⤵
        
        PID:1784
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
        5⤵
        
        PID:1088
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
        5⤵
        
        PID:2520
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
        5⤵
        
        PID:1736
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
        5⤵
        
        PID:956
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
        5⤵
        
        PID:408
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
        5⤵
        
        PID:2332
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
        5⤵
        
        PID:1276
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
        5⤵
        
        PID:1124
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
        5⤵
        
        PID:1732
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
        5⤵
        
        PID:2384
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
        5⤵
        
        PID:2380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
        5⤵
        
        PID:1360
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
        5⤵
        
        PID:1760
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:2088
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1532
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
        5⤵
        
        PID:1284
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1908
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
        5⤵
        
        PID:1352
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:1616
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:1504
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2996
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:1840
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:3012
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:1856
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:3004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:1608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
        5⤵
        
        PID:904
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
        5⤵
        
        PID:912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
        5⤵
        
        PID:2084
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
        5⤵
        
        PID:2364
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
        5⤵
        
        PID:944
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
        5⤵
        
        PID:2352
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
        5⤵
        
        PID:1040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
        5⤵
        
        PID:2460
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
        5⤵
        
        PID:888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
        5⤵
        
        PID:2152
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
        5⤵
        
        PID:2504
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
        5⤵
        
        PID:1944
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
        5⤵
        
        PID:2096
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
        5⤵
        
        PID:1688
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
        5⤵
        
        PID:2172
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
        5⤵
        
        PID:3000
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
        5⤵
        
        PID:2240
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
        5⤵
        
        PID:1740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
        5⤵
        
        PID:2092
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
        5⤵
        
        PID:2104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
        5⤵
        
        PID:2128
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
        5⤵
        
        PID:2144
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
        5⤵
        
        PID:880
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
        5⤵
        
        PID:1496
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
        5⤵
        
        PID:2636
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
        5⤵
        
        PID:1928
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
        5⤵
        
        PID:1712
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
        5⤵
        
        PID:2156
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
        5⤵
        
        PID:1312
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
        5⤵
        
        PID:2328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f
        5⤵
        
        PID:1592
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f
        5⤵
        
        PID:2424
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f
        5⤵
        
        PID:320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f
        5⤵
        
        PID:1704
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f
        5⤵
        
        PID:2400
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
        5⤵
        
        PID:2316
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
        5⤵
        
        PID:2408
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
        5⤵
        
        PID:2888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
        5⤵
        
        PID:2892
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
        5⤵
        
        PID:2644
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
        5⤵
        
        PID:2660
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
        5⤵
        
        PID:2344
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
        5⤵
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
        5⤵
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
        5⤵
        
        PID:2740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:2412
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:2368
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2496
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:2012
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
        5⤵
        
        PID:2000
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
        5⤵
        
        PID:2304
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
        5⤵
        
        PID:2008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
        5⤵
        
        PID:2020
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 10547-20820 /f
        5⤵
        Modifies registry key
        
        PID:2284
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 13663-6566 /f
        5⤵
        Modifies registry key
        
        PID:2884
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac2700} /f
        5⤵
        Modifies registry key
        
        PID:1008
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {12762-5217-20514-27855-31020} /f
        5⤵
        Modifies registry key
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {30297-31668-2545-1407-23671} /f
        5⤵
        Modifies registry key
        
        PID:2852
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1366-8530 /f
        5⤵
        Modifies registry key
        
        PID:2784
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUIDEx /t REG_BINARY /d c7a7bc3c37c6863558b5b433c6b6b4b57b94ac38ccb6b63436b5a83 /f
        5⤵
        Modifies registry key
        
        PID:2580
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 16132-2844 /f
        5⤵
        Modifies registry key
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 17613-27067 /f
        5⤵
        Modifies registry key
        
        PID:2548
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 16669-29667-20095-19667-12941 /f
        5⤵
        Modifies registry key
        
        PID:2556
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 32176-3075-9159-7797-2540 /f
        5⤵
        Modifies registry key
        
        PID:2604
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 4270-19940-23293-31219 /f
        5⤵
        Modifies registry key
        
        PID:2100
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 19710 /f
        5⤵
        Modifies registry key
        
        PID:1952
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {31751-3747-28441-24200} /f
        5⤵
        Modifies registry key
        
        PID:1812
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ---- /f
        5⤵
        
        PID:2184
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ---- /f
        5⤵
        
        PID:2992
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
        5⤵
        
        PID:2296
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {----} /f
        5⤵
        
        PID:1480
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {----} /fW
        5⤵
        
        PID:2964
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {----} /f
        5⤵
        
        PID:3016
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 4282 /f
        5⤵
        
        PID:2708
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 8147 /f
        5⤵
        
        PID:2584
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d ---- /f
        5⤵
        Modifies registry key
        
        PID:2132
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 19435-7217-19361-17079-23223 /f
        5⤵
        Modifies registry key
        
        PID:2428
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 12961-17429-6480-15694-25845 /f
        5⤵
        Modifies registry key
        
        PID:3052
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 30478-6598 /f
        5⤵
        Modifies registry key
        
        PID:1808
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 2568 /f
        5⤵
        Modifies registry key
        
        PID:2492
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 17844-27718-12028-14857 /f
        5⤵
        Modifies registry key
        
        PID:1804
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS31749 /f
        5⤵
        Modifies registry key
        
        PID:2276
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 13979-18280 /f
        5⤵
        Modifies registry key
        
        PID:564
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS19651 /f
        5⤵
        Modifies registry key
        
        PID:2900
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 26911-21429 /f
        5⤵
        Modifies registry key
        
        PID:2920
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 17954 /f
        5⤵
        Modifies registry key
        
        PID:2924
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 17596-16896 /f
        5⤵
        Modifies registry key
        
        PID:3020
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 12010 /f
        5⤵
        Modifies registry key
        
        PID:2080
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 2618-24977 /f
        5⤵
        Modifies registry key
        
        PID:3036
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29026-19294-79-15164-21995} /f
        5⤵
        Modifies registry key
        
        PID:3024
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22895-29277-8850-12452-15184} /f
        5⤵
        Modifies registry key
        
        PID:936
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2519-s27407-22444-15603-14326} /f
        5⤵
        Modifies registry key
        
        PID:928
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac470} /f
        5⤵
        Modifies registry key
        
        PID:3040
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {fefefee302-813-30800-30196} /f
        5⤵
        Modifies registry key
        
        PID:3064
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 14992 /f
        5⤵
        Modifies registry key
        
        PID:2340
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductId /t REG_SZ /d 30229 /f
        5⤵
        Modifies registry key
        
        PID:2396
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 8620 /f
        5⤵
        Modifies registry key
        
        PID:1724
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 21989 /f
        5⤵
        Modifies registry key
        
        PID:2728
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {24557-10925-14613-1625-10182} /f
        5⤵
        Modifies registry key
        
        PID:2004
    - - C:\Windows\system32\netsh.exe
        
        netsh winsock reset
        5⤵
        
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO87A1E9D6\FASTEST SPOOFING METHOD FOR RAGING CHEATING REMOVES VAN152.txt

Filesize
333B

MD5
3ba32eaf6a25fe856062a2131ceb3b41

SHA1
c477672b3aca791729fa4150a164b85e2b039711

SHA256
2d92f99676eebf5bdca9ca9ed0cfbd6546594cc7e12cbc4b5ee8d31f92204ca3

SHA512
5fa111b38b1bc19d959f5add9368b39a9b03fd034119a66b8c65410689a73954d5546f24ca3a044b77d3db27daa0597234b6602710e4d1dd80a61c97c8056418

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO87A7ADA6\FULL SPOOFING INSTRUCTIONS.txt

Filesize
593B

MD5
a933771406a25f8aa159e0bdacfe8e53

SHA1
7f681d13eeeaaa9ee92854f5c54b02897610bbd4

SHA256
752fcbcce3630e2f37af44f7a7cf63924d049f91be018a12cfe81162d6de4343

SHA512
650ed59acd0e297ef1c1d3e4f69794907e9087662c64946ba56a332cd512912b1cf4ca34792effd0fec12e78693a1d052577962742e05f5a5a5e26ecbee801e3

Download Submit
C:\Windows\apppatch\Custom\e.bat

Filesize
53KB

MD5
328beec730ad16110edaeb509da7ef0a

SHA1
3967f0c1cc05281e38f416b5b2114f21dfb14551

SHA256
89c7818490b41fe0560f803d0e9faaa65a02f814e5a16b67d6e252d40e36df69

SHA512
22405a260effb11022411daa76132cc824c437c6b23d92ace592cf74b29d12826e983d55c868aac1e42d889da95621e451a99b2b75d83992e9378cbbd10d92a8

Download Submit
\ProgramData\spooferhandler.exe

Filesize
131KB

MD5
5a76b1d6eb7f59520300a73d091f4d5f

SHA1
a58fc277c0d86ac273a3eee610015bc1c21e9531

SHA256
446fc530c2f53be095ed3e1634b7ea7d017c8abdd0865f824a96a52e6dd27c65

SHA512
7595f8c402e3f8ea54a7d4c338fc329659d76ccc9b006ab0070cd6ac54ea01255f4754995c84fdcc3659fb76f3b8f63d828a48a9a4ca4c67c9fa939ffcc54687

Download Submit
\Users\Admin\AppData\Local\Temp\7zO87A3FE57\SPOOFER LOADER.exe

Filesize
895KB

MD5
512a21a95db27f67bbf385b4b68f6aa8

SHA1
c5ab6cced5b8f146f3a0296532e59d0c5a3ae0ea

SHA256
ac6ee3886816b257e372a5b7b54ff006c2125f523b04e75d8c531b0a8c81c81d

SHA512
f4b45aee392d373abd026462bafdad38a37300c8db52d707f572b3fff8ee8a140c6fe514fc55d5257e9d225d1e29b57adc55b9f5408743e25d620c32512e9c07

Download Submit
memory/1800-49-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/1800-50-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-51-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/1800-54-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-55-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download