purecrypter | 2deae5346696feed6b2cce57eb002e5fac09734e8a0e888cba0935d00d50036e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRODUCT Panty Poof/SPOOFER LOADER.exe
Size

895KB
MD5

512a21a95db27f67bbf385b4b68f6aa8
SHA1

c5ab6cced5b8f146f3a0296532e59d0c5a3ae0ea
SHA256

ac6ee3886816b257e372a5b7b54ff006c2125f523b04e75d8c531b0a8c81c81d
SHA512

f4b45aee392d373abd026462bafdad38a37300c8db52d707f572b3fff8ee8a140c6fe514fc55d5257e9d225d1e29b57adc55b9f5408743e25d620c32512e9c07
SSDEEP

24576:mrovWp6faeGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9WTEHd3:FvWECQn/m

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://cdn.discordapp.com/attachments/997814360636391555/1031517343848878110/Tptzutsjt.jpeg

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	SPOOFER LOADER.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	spooferhandler.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\accessibility.dll	SPOOFER LOADER.exe
File created	C:\Windows\System32\amigendrv64.sys	SPOOFER LOADER.exe
File created	C:\Windows\System32\AppVDll.exe	SPOOFER LOADER.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~3.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~2.BLF	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~4.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{532AA~1.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~1.BLF	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~1.REG	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{53B39~2.REG	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.EDB	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.JFM	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DATAST~1\Logs\edb.log	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\REPORT~1.LOG	cmd.exe
File created	C:\Windows\VPO.exe	SPOOFER LOADER.exe
File created	C:\Windows\apppatch\Custom\e.bat	SPOOFER LOADER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	spooferhandler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2252	2124	SPOOFER LOADER.exe	85
PID 2124 wrote to memory of 2252	2124	SPOOFER LOADER.exe	85
PID 2124 wrote to memory of 2188	2124	SPOOFER LOADER.exe	86
PID 2124 wrote to memory of 2188	2124	SPOOFER LOADER.exe	86
PID 2124 wrote to memory of 2284	2124	SPOOFER LOADER.exe	96
PID 2124 wrote to memory of 2284	2124	SPOOFER LOADER.exe	96
PID 2124 wrote to memory of 4596	2124	SPOOFER LOADER.exe	97
PID 2124 wrote to memory of 4596	2124	SPOOFER LOADER.exe	97
PID 4596 wrote to memory of 2876	4596	cmd.exe	98
PID 4596 wrote to memory of 2876	4596	cmd.exe	98
PID 2124 wrote to memory of 1744	2124	SPOOFER LOADER.exe	99
PID 2124 wrote to memory of 1744	2124	SPOOFER LOADER.exe	99
PID 2124 wrote to memory of 3236	2124	SPOOFER LOADER.exe	101
PID 2124 wrote to memory of 3236	2124	SPOOFER LOADER.exe	101
PID 2124 wrote to memory of 3656	2124	SPOOFER LOADER.exe	102
PID 2124 wrote to memory of 3656	2124	SPOOFER LOADER.exe	102
PID 2124 wrote to memory of 4980	2124	SPOOFER LOADER.exe	105
PID 2124 wrote to memory of 4980	2124	SPOOFER LOADER.exe	105
PID 2124 wrote to memory of 3676	2124	SPOOFER LOADER.exe	107
PID 2124 wrote to memory of 3676	2124	SPOOFER LOADER.exe	107
PID 2124 wrote to memory of 1888	2124	SPOOFER LOADER.exe	109
PID 2124 wrote to memory of 1888	2124	SPOOFER LOADER.exe	109
PID 2124 wrote to memory of 5084	2124	SPOOFER LOADER.exe	111
PID 2124 wrote to memory of 5084	2124	SPOOFER LOADER.exe	111
PID 2124 wrote to memory of 380	2124	SPOOFER LOADER.exe	113
PID 2124 wrote to memory of 380	2124	SPOOFER LOADER.exe	113
PID 380 wrote to memory of 1396	380	cmd.exe	115
PID 380 wrote to memory of 1396	380	cmd.exe	115
PID 380 wrote to memory of 1452	380	cmd.exe	116
PID 380 wrote to memory of 1452	380	cmd.exe	116
PID 380 wrote to memory of 2668	380	cmd.exe	117
PID 380 wrote to memory of 2668	380	cmd.exe	117
PID 380 wrote to memory of 1344	380	cmd.exe	118
PID 380 wrote to memory of 1344	380	cmd.exe	118
PID 380 wrote to memory of 4204	380	cmd.exe	119
PID 380 wrote to memory of 4204	380	cmd.exe	119
PID 380 wrote to memory of 4668	380	cmd.exe	120
PID 380 wrote to memory of 4668	380	cmd.exe	120
PID 380 wrote to memory of 4664	380	cmd.exe	121
PID 380 wrote to memory of 4664	380	cmd.exe	121
PID 380 wrote to memory of 4704	380	cmd.exe	122
PID 380 wrote to memory of 4704	380	cmd.exe	122
PID 380 wrote to memory of 2196	380	cmd.exe	123
PID 380 wrote to memory of 2196	380	cmd.exe	123
PID 380 wrote to memory of 3464	380	cmd.exe	124
PID 380 wrote to memory of 3464	380	cmd.exe	124
PID 380 wrote to memory of 3592	380	cmd.exe	125
PID 380 wrote to memory of 3592	380	cmd.exe	125
PID 380 wrote to memory of 3404	380	cmd.exe	126
PID 380 wrote to memory of 3404	380	cmd.exe	126
PID 380 wrote to memory of 32	380	cmd.exe	127
PID 380 wrote to memory of 32	380	cmd.exe	127
PID 380 wrote to memory of 2872	380	cmd.exe	128
PID 380 wrote to memory of 2872	380	cmd.exe	128
PID 380 wrote to memory of 2192	380	cmd.exe	129
PID 380 wrote to memory of 2192	380	cmd.exe	129
PID 380 wrote to memory of 5096	380	cmd.exe	130
PID 380 wrote to memory of 5096	380	cmd.exe	130
PID 380 wrote to memory of 3400	380	cmd.exe	131
PID 380 wrote to memory of 3400	380	cmd.exe	131
PID 380 wrote to memory of 2080	380	cmd.exe	132
PID 380 wrote to memory of 2080	380	cmd.exe	132
PID 380 wrote to memory of 4984	380	cmd.exe	133
PID 380 wrote to memory of 4984	380	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\PRODUCT Panty Poof\SPOOFER LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT Panty Poof\SPOOFER LOADER.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color F1
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\ProgramData\spooferhandler.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\ProgramData\spooferhandler.exe
    C:\ProgramData\spooferhandler.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Riot Games\VALORANT\live\Manifest_DebugFiles_Win64.txt
  2⤵
  PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Riot Games\VALORANT\live\Manifest_NonUFSFiles_Win64.txt
  2⤵
  PID:3236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Local\IconCache.db
  2⤵
  PID:3656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Temp\*
  2⤵
  PID:4980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\Riot Games\*
  2⤵
  PID:3676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\UnrealEngine\*
  2⤵
  PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\Users\%username%\AppData\.IdentityService\*
  2⤵
  PID:5084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\apppatch\Custom\e.bat
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
    3⤵
    PID:1396
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
    3⤵
    PID:1452
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
    3⤵
    PID:1344
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CLASSES_ROOT\riotclient" /f
    3⤵
    PID:3592
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:3404
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:32
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:2872
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:3400
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:660
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1912
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:2408
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1296
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:3588
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:1612
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:1220
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:3068
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:4840
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
    3⤵
    PID:4692
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
    3⤵
    PID:4380
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
    3⤵
    PID:3540
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
    3⤵
    PID:4572
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1320
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1560
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4520
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:2616
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
    3⤵
    PID:4612
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
    3⤵
    PID:224
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    - Checks processor information in registry
    PID:1648
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
    3⤵
    PID:1556
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
    3⤵
    PID:3348
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
    3⤵
    PID:392
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
    3⤵
    PID:4180
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
    3⤵
    PID:1280
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
    3⤵
    PID:1800
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1996
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
    3⤵
    PID:1144
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:232
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:4316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:1720
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:4084
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:3896
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:3384
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:3268
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:3612
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:4060
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
    3⤵
    PID:2780
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:1340
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
    3⤵
    PID:3476
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:3292
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:2660
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:4952
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:1344
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:3592
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:3404
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:32
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:2872
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:3400
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
    3⤵
    PID:660
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
    3⤵
    PID:1912
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
    3⤵
    PID:2408
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:1296
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:3588
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:1612
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1220
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
    3⤵
    PID:1400
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:3448
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:3296
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:600
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:5032
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:3692
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:1028
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:1084
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:3584
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:3148
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:2724
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:3544
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:1992
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:1428
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:2316
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:2944
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:3576
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:2156
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:2284
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f
    3⤵
    PID:648
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:4924
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:1032
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
    3⤵
    PID:4236
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:1236
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:4340
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
    3⤵
    PID:376
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:3892
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:2916
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:4072
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2704
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:3368
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:3812
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4248
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:3920
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4408
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:208
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:988
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:560
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3272
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App" /f
    3⤵
    PID:4256
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gamebarservices" /f
    3⤵
    PID:3740
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\FortniteClient-Win64-Shipping.exe" /f
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:368
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f
    3⤵
    PID:1248
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f
    3⤵
    PID:3140
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f
    3⤵
    PID:3748
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f
    3⤵
    PID:348
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f
    3⤵
    PID:1500
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f
    3⤵
    PID:2496
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f
    3⤵
    PID:5112
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f
    3⤵
    PID:904
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f
    3⤵
    PID:1188
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f
    3⤵
    PID:4104
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
    3⤵
    PID:3088
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:332
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\180" /f
    3⤵
    PID:4920
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFullName\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe\181" /f
    3⤵
    PID:3064
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f
    3⤵
    PID:4412
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f
    3⤵
    PID:1788
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f
    3⤵
    PID:1312
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f
    3⤵
    PID:4692
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f
    3⤵
    PID:4380
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f
    3⤵
    PID:3540
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f
    3⤵
    PID:4572
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f
    3⤵
    PID:1320
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f
    3⤵
    PID:1560
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f
    3⤵
    PID:4828
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f
    3⤵
    PID:4520
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f
    3⤵
    PID:3060
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f
    3⤵
    PID:4832
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f
    3⤵
    PID:224
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:1556
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3348
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:4712
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe" /f
    3⤵
    PID:4820
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:1280
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-2532382528-581214834-2534474248-1001\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\SecurityManager\CapAuthz\ApplicationsEx\Microsoft.XboxGameOverlay_1.41.24001.0_x64__8wekyb3d8bbwe" /f
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2924
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:1800
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:1996
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:4528
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:1144
- - C:\Windows\system32\reg.exe
    reg delete "HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0" /f
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\5e4eddc4_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}" /f
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000205B6" /f
    3⤵
    PID:232
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000403D6" /f
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000405DE" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060286" /f
    3⤵
    PID:4316
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000009042E" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A03B4" /f
    3⤵
    PID:3836
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A0430" /f
    3⤵
    PID:4236
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0532" /f
    3⤵
    PID:1120
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B05D6" /f
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0430" /f
    3⤵
    PID:3176
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0586" /f
    3⤵
    PID:3236
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E03D2" /f
    3⤵
    PID:376
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0406" /f
    3⤵
    PID:3892
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000100430" /f
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001103EE" /f
    3⤵
    PID:4512
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000011041E" /f
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000012047E" /f
    3⤵
    PID:4300
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001303EE" /f
    3⤵
    PID:3644
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001304F2" /f
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000014041E" /f
    3⤵
    PID:1888
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001703E6" /f
    3⤵
    PID:1340
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000170440" /f
    3⤵
    PID:704
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001704FC" /f
    3⤵
    PID:3292
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" /f
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:2660
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:4952
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572" /f
    3⤵
    PID:4092
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:1344
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\Software\Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri" /f
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499" /f
    3⤵
    PID:3592
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\Local Settings\MrtCache\C:CProgram FilesCWindowsAppsCMicrosoft.XboxGamingOverlay_2.26.28001.0_x64__8wekyb3d8bbweCmicrosoft.system.package.metadataCS-1-5-21-2532382528-581214834-2534474248-1001-MergedResources-2.pri\1d50f44cf1a0499\87f345c2" /f
    3⤵
    PID:3404
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572" /f
    3⤵
    PID:2540
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\DefaultIcon" /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell" /f
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open" /f
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-2532382528-581214834-2534474248-1001_Classes\discord-432980957394370572\shell\open\command" /f
    3⤵
    PID:1632
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:3224
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates" /f
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs" /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-18\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs" /f
    3⤵
    PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\spooferhandler.exe

Filesize
131KB

MD5
5a76b1d6eb7f59520300a73d091f4d5f

SHA1
a58fc277c0d86ac273a3eee610015bc1c21e9531

SHA256
446fc530c2f53be095ed3e1634b7ea7d017c8abdd0865f824a96a52e6dd27c65

SHA512
7595f8c402e3f8ea54a7d4c338fc329659d76ccc9b006ab0070cd6ac54ea01255f4754995c84fdcc3659fb76f3b8f63d828a48a9a4ca4c67c9fa939ffcc54687

Download Submit
C:\Windows\apppatch\Custom\e.bat

Filesize
53KB

MD5
328beec730ad16110edaeb509da7ef0a

SHA1
3967f0c1cc05281e38f416b5b2114f21dfb14551

SHA256
89c7818490b41fe0560f803d0e9faaa65a02f814e5a16b67d6e252d40e36df69

SHA512
22405a260effb11022411daa76132cc824c437c6b23d92ace592cf74b29d12826e983d55c868aac1e42d889da95621e451a99b2b75d83992e9378cbbd10d92a8

Download Submit
memory/2876-9-0x00000211253F0000-0x00000211253FC000-memory.dmp

Filesize
48KB

Download
memory/2876-10-0x00007FFC9E480000-0x00007FFC9EF41000-memory.dmp

Filesize
10.8MB

Download
memory/2876-11-0x0000021127020000-0x0000021127030000-memory.dmp

Filesize
64KB

Download
memory/2876-13-0x00007FFC9E480000-0x00007FFC9EF41000-memory.dmp

Filesize
10.8MB

Download
memory/2876-14-0x0000021127020000-0x0000021127030000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads