c5cfe062d0895b2bd6621e06da7ee7e030de2e85f1fc2be62d734ce694bb29bf

Analysis

max time kernel
150s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner (1).exe
Size

6.0MB
MD5

0ccec651d8bba5994aa039f5a9af46b6
SHA1

002427c48cbc4e64ff5a901f9b89abf7cef7e942
SHA256

c5cfe062d0895b2bd6621e06da7ee7e030de2e85f1fc2be62d734ce694bb29bf
SHA512

925b5a7f321e7dc37ad6275e38ddf54d4dee3c78c6735c40ede18ee0f831b6831edea5e898f174993e14f167ef54e22796eaac7b8444eb502679a788ec22ad83
SSDEEP

98304:qjQzPx3jrd/pJt5hkgpvmzJikw7Q+p0bkKefSfF2UgqzVEo8snr4unLnM/lVJh8n:qs3jrFpJt5hku+zJiJM+iwKefM3RvZse

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 discord.com
18 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Cleaner (1).exe

pid process

2116 Cleaner (1).exe
2116 Cleaner (1).exe
2116 Cleaner (1).exe
2116 Cleaner (1).exe
2116 Cleaner (1).exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.execmd.execmd.exe

pid process

2736 cmd.exe
4408 cmd.exe
1604 cmd.exe

flow	ioc
15	discord.com
18	discord.com

pid	process
2116	Cleaner (1).exe
2116	Cleaner (1).exe
2116	Cleaner (1).exe
2116	Cleaner (1).exe
2116	Cleaner (1).exe

pid	process
2736	cmd.exe
4408	cmd.exe
1604	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 17 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3744	taskkill.exe
224	taskkill.exe
1136	taskkill.exe
4416	taskkill.exe
8	taskkill.exe
3376	taskkill.exe
2060	taskkill.exe
1112	taskkill.exe
4216	taskkill.exe
4576	taskkill.exe
3428	taskkill.exe
2396	taskkill.exe
4712	taskkill.exe
964	taskkill.exe
4372	taskkill.exe
1884	taskkill.exe
4592	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Cleaner (1).exemsedge.exemsedge.exe

pid process

2116 Cleaner (1).exe
2116 Cleaner (1).exe
2224 msedge.exe
2224 msedge.exe
3468 msedge.exe
3468 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3468 msedge.exe
3468 msedge.exe
3468 msedge.exe

pid	process
2116	Cleaner (1).exe
2116	Cleaner (1).exe
2224	msedge.exe
2224	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Cleaner (1).execmd.exemsedge.exe

description	pid	process	target process
PID 2116 wrote to memory of 4504	2116	Cleaner (1).exe	cmd.exe
PID 2116 wrote to memory of 4504	2116	Cleaner (1).exe	cmd.exe
PID 4504 wrote to memory of 3468	4504	cmd.exe	msedge.exe
PID 4504 wrote to memory of 3468	4504	cmd.exe	msedge.exe
PID 3468 wrote to memory of 4428	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 4428	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1864	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 2224	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 2224	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe
PID 3468 wrote to memory of 1412	3468	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Cleaner (1).exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner (1).exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/xanaxspoofer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xanaxspoofer
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9393b46f8,0x7ff9393b4708,0x7ff9393b4718
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
      4⤵
      PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:1272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,8011512498745417491,10499116014927615538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM epicgameslauncher.exe
  2⤵
  PID:1092
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM EpicWebHelper.exe
  2⤵
  PID:4236
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM EpicWebHelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2736
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4408
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM FortniteLauncher.exe
  2⤵
  PID:3264
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM FortniteClient-Win64-Shipping.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1604
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM EpicGamesLauncher.exe
  2⤵
  PID:3956
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM EasyAntiCheat.exe
  2⤵
  PID:5048
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM BEService.exe
  2⤵
  PID:4496
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM BEService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM BEServices.exe
  2⤵
  PID:4508
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM BEServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM RainbowSix.exe
  2⤵
  PID:1232
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM RainbowSix.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM cod.exe
  2⤵
  PID:4600
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM cod.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM Battle.net.exe
  2⤵
  PID:2948
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM Battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM Agent.exe
  2⤵
  PID:2188
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM Agent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM FiveM.exe
  2⤵
  PID:4160
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM FiveM.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM vgtray.exe
  2⤵
  PID:3488
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TaskKill /F /IM BattleEye.exe
  2⤵
  PID:1368
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM BattleEye.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "%localappdata%\microsoft\feeds" /s /f /q
  2⤵
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "%systemdrive%\users\%username%\appdata\local\epicgameslauncher\saved\webcache\cookies"
  2⤵
  PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "%temp%\getadmin.vbs"
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\programdata\microsoft\search\data\applications\windows\edb.jcp"
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\recovery\ntuser.sys"
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\system volume information\indexervolumeguid"
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\system volume information\tracking.log"
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache"
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\content"
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\content\77ec63bda74bd0d0e0426dc8f8008506"
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\content\fb0d848f74f70bb2eaa93746d24d9749"
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\metadata"
  2⤵
  PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\metadata\77ec63bda74bd0d0e0426dc8f8008506"
  2⤵
  PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\locallow\microsoft\cryptneturlcache\metadata\fb0d848f74f70bb2eaa93746d24d9749"
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\crashdumps\backgr~2.dmp"
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\epicgameslauncher\saved\webcache\cookies"
  2⤵
  PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\feeds cache"
  2⤵
  PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\feeds"
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\windows\webcache\v01.chk"
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\windows\webcache\v0100024.log"
  2⤵
  PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\windows\webcache\webcac~1.dat"
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\microsoft\windows\webcache\webcac~1.jfm"
  2⤵
  PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\nordvpn\logs\app-2019-12-09.nwl"
  2⤵
  PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\nvidia corporation\gfesdk\fortni~1.log"
  2⤵
  PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\appdata\cachestorage\caches~1.jfm"
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\%username%\appdata\local\temp\ecache.bin"
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\all users\microsoft\search\data\applications\windows\edb.jcp"
  2⤵
  PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\all users\microsoft\search\data\applications\windows\projects\systemindex\propmap\cipt0000.000"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\all users\microsoft\windows\wer\temp\wer5cc2.tmp.xml"
  2⤵
  PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\all users\microsoft\windows\wer\temp\wer95df.tmp.mdmp"
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\users\public\shared files"
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\cbstemp\30780525_1668355464"
  2⤵
  PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\bthpan.pnf"
  2⤵
  PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\e2xw10x64.pnf"
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\e2xw10~1.pnf"
  2⤵
  PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\ialpss2i_gpio2_skl.pnf"
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\intelpep.pnf"
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\monitor.pnf"
  2⤵
  PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\msports.pnf"
  2⤵
  PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\ndisvirtualbus.pnf"
  2⤵
  PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\netathr10x.pnf"
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\netavpna.pnf"
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\netrasa.pnf"
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\netsstpa.pnf"
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\netvwifimp.pnf"
  2⤵
  PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\rdpbus.pnf"
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\usbxhci.pnf"
  2⤵
  PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\inf\wmiacpi.pnf"
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\logs\cbs\cbs.log"
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\system32\wbem\repository\mapping1.map"
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\system32\wbem\repository\writable.tst"
  2⤵
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\temp\206f3fdc-b1a8-4fd6-bdb8-6cfe76122873"
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del "c:\windows\temp\6e04ef32-0387-48b1-b812-ac2bba90a8d0"
  2⤵
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /q /f %windir%\kb*.log
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /q /f /a /s "c:\users\%username%\appdata\local\iconcache.db"
  2⤵
  PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /q /f /a /s "c:\users\%username%\appdata\local\updater.log"
  2⤵
  PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\programdata\microsoft\windows\devicemetadatacache\dmrc.idx"
  2⤵
  PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\system volume information\tracking.log"
  2⤵
  PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\appdata\local\ac\inetcookies\ese\container.dat"
  2⤵
  PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\appdata\local\microsoft\onedrive\logs\common\devicehealthsummaryconfiguration.ini"
  2⤵
  PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\appdata\local\microsoft\vault\userprofileroaming\latest.dat"
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\appdata\local\microsoft\windows\inetcache\ie\container.dat"
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\appdata\local\unrealengine\4.23\saved\config\windowsclient\manifest.ini"
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\users\%username%\ntuser.ini"
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f "c:\windows\win.ini"
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q "%userprofile%\recent\*.*"
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%appdata%\roaming\easyanticheat\*.*"
  2⤵
  PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%paint\users\%username%\appdata\roaming\vstelemetry\*.*"
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\desktop.ini\*.*"
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\intel\*.*"
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\msocache\{71230000-00e2-0000-1000-00000000}\setup.dat\*.*"
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\msocache\{71230000-00e2-0000-1000-00000000}\setup.dat\*.*"
  2⤵
  PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\program files (x86)\easyanticheat\*.*"
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\program files (x86)\easyanticheat\easyanticheat.sys"
  2⤵
  PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\electronic arts\*"
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\electronic arts\ea services\license\*"
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\electronic arts\ea services\license\*.*"
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\datamart\paidwifi\networkscache\*.*"
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\datamart\paidwifi\networkscache\*.*"
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\datamart\paidwifi\rules\*.*"
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\datamart\paidwifi\rules\*.*"
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\windows\wer\temp\*.*"
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\programdata\microsoft\windows\wer\temp\*.*"
  2⤵
  PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\recovery\ntuser.sys\*.*"
  2⤵
  PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\system volume information\*.*"
  2⤵
  PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\temp\*.*"
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\users\%%username%%\appdata\local\unrealengine\*.*"
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\users\%username%\appdata\local\microsoft\feeds\*.*"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\users\%username%\appdata\local\microsoft\windows\history\history.ie5\*.*"
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q "%systemdrive%\users\%username%\appdata\local\microsoft\windows\history\history.ie5\*.*"
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182" /f
  2⤵
  PID:2504
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182" /f
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\flags: 0x00000000" /f
  2⤵
  PID:2332
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\flags: 0x00000000" /f
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:1104
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagefamily: 0x0000004e" /f
  2⤵
  PID:800
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagefamily: 0x0000004e" /f
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe"" /f
    3⤵
    PID:4132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagetype: 0x00000004" /f
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\packagetype: 0x00000004" /f
    3⤵
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\volume: 0x00000001" /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\volume: 0x00000001" /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 32 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 6e 65 75 74 72 61 6c 5f 73 70 6c 69 74 2e 73 63 61 6c 65 2d 31 30 30 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\182\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 32 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 6e 65 75 74 72 61 6c 5f 73 70 6c 69 74 2e 73 63 61 6c 65 2d 31 30 30 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\180" /f
  2⤵
  PID:4216
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\180" /f
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\181" /f
  2⤵
  PID:3176
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\181" /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\182" /f
  2⤵
  PID:3604
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefamily\4e\182" /f
    3⤵
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe" /f
    3⤵
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
  2⤵
  PID:1260
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182" /f
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\package"\fullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale - 100_8wekyb3d8bbwe" /f
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\package"\fullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale - 100_8wekyb3d8bbwe" /f
    3⤵
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\flags: 0x00000000" /f
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\flags: 0x00000000" /f
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\flags: 0x00000080" /f
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\flags: 0x00000080" /f
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\state: 0x00000000" /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\index\packagefullname\microsoft.xboxgameoverlay_1.41.24001.0_neutral_split.scale-100_8wekyb3d8bbwe\182\state: 0x00000000" /f
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180" /f
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180" /f
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\flags: 0x00000000" /f
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\flags: 0x00000000" /f
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagefamily: 0x0000004e" /f
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagefamily: 0x0000004e" /f
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagetype: 0x00000008" /f
  2⤵
  PID:4372
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\packagetype: 0x00000008" /f
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\volume: 0x00000001" /f
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\volume: 0x00000001" /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 30 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 6e 65 75 74 72 61 6c 5f 7e 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:3608
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\180\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 30 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 6e 65 75 74 72 61 6c 5f 7e 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181" /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181" /f
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\flags: 0x00000000" /f
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\flags: 0x00000000" /f
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\installedlocation: "c:\program files\windowsapps\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagefamily: 0x0000004e" /f
  2⤵
  PID:952
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagefamily: 0x0000004e" /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
  2⤵
  PID:4068
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagefullname: "microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe"" /f
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagetype: 0x00000001" /f
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\packagetype: 0x00000001" /f
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\volume: 0x00000001" /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\volume: 0x00000001" /f
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 31 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 50 61 63 6b 61 67 65 46 61 6d 69 6c 79 5c 34 65 5c 31 38 31 00 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:312
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 50 61 63 6b 61 67 65 46 75 6c 6c 4e 61 6d 65 5c 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 5c 34 65 5c 31 38 31 00 00" /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 5c 34 65 5c 31 38 31 00 00" /f
    3⤵
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 00 00" /f
  2⤵
  PID:3808
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 00 00" /f
    3⤵
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 31 2e 34 31 2e 32 34 30 30 31 2e 30 5f 78 36 34 5f 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 00 00" /f
    3⤵
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 00 00" /freg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83" /f
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\package\data\181\_indexkeys: 00 00" /freg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83" /f
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\apppackagetype: 0x00000000" /f
  2⤵
  PID:2220
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\apppackagetype: 0x00000000" /f
    3⤵
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\capsids: 0a 00 00 00 01 02 00 00 00 00 00 0f 03 00 00 00 01 00 00 00 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 e8 41 fe 65 15 cb 86 8e 43 2c e1 30 42 2a b3 51 4e 9c 0e 17 b4 1b 89 09 98 da 44 8d 13 6a 0c b3 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 e4 29 72 ae 52 a9 2e 19 c4 fb 6c 51 9e 00 25 50 5b 64 a6 6f a4 d2 d0 57 d2 db d7 37 f2 b0 85 ac 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 0b 44 35 cf 44 6c 30 b5 4c 90 da 15 db 4c 09 94 5a 08 a5 69 f0 dc c5 65 02 4a 7b b9 a8 2c da c2 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 3c da 35 57 2a 15 fa c8 02 c1 bc 52 65 2b d8 ec c8 8e 72 9b 62 79 a8 20 65 1e 06 07 af 02 70 0c 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 ce 22 45 27 27 b8 ea 12 11 8a 20 ef 09 19 fd 6b b8 b4 a0 d6 03 10 5b dd d6 cf 74 85 60 22 d2 cd 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 0a d5 ca 1a 96 05 1c f5 5e 2c 0c ce 2a e" /f
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\capsids: 0a 00 00 00 01 02 00 00 00 00 00 0f 03 00 00 00 01 00 00 00 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 e8 41 fe 65 15 cb 86 8e 43 2c e1 30 42 2a b3 51 4e 9c 0e 17 b4 1b 89 09 98 da 44 8d 13 6a 0c b3 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 e4 29 72 ae 52 a9 2e 19 c4 fb 6c 51 9e 00 25 50 5b 64 a6 6f a4 d2 d0 57 d2 db d7 37 f2 b0 85 ac 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 0b 44 35 cf 44 6c 30 b5 4c 90 da 15 db 4c 09 94 5a 08 a5 69 f0 dc c5 65 02 4a 7b b9 a8 2c da c2 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 3c da 35 57 2a 15 fa c8 02 c1 bc 52 65 2b d8 ec c8 8e 72 9b 62 79 a8 20 65 1e 06 07 af 02 70 0c 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 ce 22 45 27 27 b8 ea 12 11 8a 20 ef 09 19 fd 6b b8 b4 a0 d6 03 10 5b dd d6 cf 74 85 60 22 d2 cd 01 0a 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 0a d5 ca 1a 96 05 1c f5 5e 2c 0c ce 2a e" /f
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\enterpriseid: 0x00000000" /f
  2⤵
  PID:4872
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\enterpriseid: 0x00000000" /f
    3⤵
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\packagesid: "s-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
  2⤵
  PID:3804
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\securitymanager\capauthz\applicationsex\microsoft.xboxgameoverlay_1.41.24001.0_x64__8wekyb3d8bbwe\packagesid: "s-1-15-2-1823635404-1364722122-2170562666-1762391777-2399050872-3465541734-3732476201"" /f
    3⤵
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac" /f
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac" /f
    3⤵
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\application: 0x00000093" /f
  2⤵
  PID:4300
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\application: 0x00000093" /f
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
  2⤵
  PID:4380
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\user: 0x00000003" /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\user: 0x00000003" /f
    3⤵
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\_indexkeys: 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 5c 33 5e 39 33 00 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 55 73 65 72 4d 6f 64 65 6c 49 64 5c 33 5e 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ac\_indexkeys: 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 5c 33 5e 39 33 00 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 55 73 65 72 4d 6f 64 65 6c 49 64 5c 33 5e 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad" /f
  2⤵
  PID:3080
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad" /f
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\application: 0x00000093" /f
  2⤵
  PID:4288
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\application: 0x00000093" /f
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
    3⤵
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\user: 0x00000004" /f
  2⤵
  PID:1548
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\user: 0x00000004" /f
    3⤵
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\_indexkeys: 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 5c 34 5e 39 33 00 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 55 73 65 72 4d 6f 64 65 6c 49 64 5c 34 5e 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\data\ad\_indexkeys: 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 5c 34 5e 39 33 00 55 73 65 72 41 6e 64 41 70 70 6c 69 63 61 74 69 6f 6e 55 73 65 72 4d 6f 64 65 6c 49 64 5c 34 5e 4d 69 63 72 6f 73 6f 66 74 2e 58 62 6f 78 47 61 6d 65 4f 76 65 72 6c 61 79 5f 38 77 65 6b 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\3^93" /f
  2⤵
  PID:2636
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\3^93" /f
    3⤵
    PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\3^93\ac" /f
  2⤵
  PID:892
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\3^93\ac" /f
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\4^93" /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\4^93" /f
    3⤵
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\4^93\ad" /f
  2⤵
  PID:4712
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\applicationuser\index\userandapplication\4^93\ad" /f
    3⤵
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93" /f
  2⤵
  PID:64
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93" /f
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\applicationusermodelid: "microsoft.xboxgameoverlay_8wekyb3d8bbwe!app"" /f
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\entrypoint: "gamebar.app"" /f
  2⤵
  PID:4576
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\entrypoint: "gamebar.app"" /f
    3⤵
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\executable: "gamebar.exe"" /f
  2⤵
  PID:2424
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\executable: "gamebar.exe"" /f
    3⤵
    PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\flags: 0x00000000" /f
  2⤵
  PID:3596
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\flags: 0x00000000" /f
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\index: 0x00000000" /f
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\index: 0x00000000" /f
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\package: 0x00000181" /f
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\package: 0x00000181" /f
    3⤵
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\packagerelativeapplicationid: "app"" /f
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\packagerelativeapplicationid: "app"" /f
    3⤵
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\startpage: (null!)" /f
  2⤵
  PID:4368
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\startpage: (null!)" /f
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\_indexkeys: 50 61 63 6b 61 67 65 5c 31 38 31 5c 39 33 00 50 61 63 6b 61 67 65 41 6e 64 50 61 63 6b 61 67 65 52 65 6c 61 74 69 76 65 41 70 70 6c 69 63 61 74 69 6f 6e 49 64 5c 31 38 31 5e 41 70 70 00 00" /f
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\data\93\_indexkeys: 50 61 63 6b 61 67 65 5c 31 38 31 5c 39 33 00 50 61 63 6b 61 67 65 41 6e 64 50 61 63 6b 61 67 65 52 65 6c 61 74 69 76 65 41 70 70 6c 69 63 61 74 69 6f 6e 49 64 5c 31 38 31 5e 41 70 70 00 00" /f
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\packageandpackagerelativeapplicationid\181^app" /f
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\packageandpackagerelativeapplicationid\181^app" /f
    3⤵
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\packageandpackagerelativeapplicationid\181^app\93" /f
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\packageandpackagerelativeapplicationid\181^app\93" /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\package\181" /f
  2⤵
  PID:952
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\package\181" /f
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\package\181\93" /f
  2⤵
  PID:4068
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\application\index\package\181\93" /f
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80" /f
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80" /f
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80\package: 0x00000180" /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80\package: 0x00000180" /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80\user: 0x00000003" /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a80\user: 0x00000003" /f
    3⤵
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81" /f
  2⤵
  PID:312
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81" /f
    3⤵
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\package: 0x00000181" /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\package: 0x00000181" /f
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\user: 0x00000003" /f
  2⤵
  PID:4284
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\user: 0x00000003" /f
    3⤵
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\_indexkeys: 55 73 65 72 5c 33 5c 31 61 38 31 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 33 5e 31 38 31 00 00" /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a81\_indexkeys: 55 73 65 72 5c 33 5c 31 61 38 31 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 33 5e 31 38 31 00 00" /f
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82" /f
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82" /f
    3⤵
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82\package: 0x00000182" /f
  2⤵
  PID:2220
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82\package: 0x00000182" /f
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82\user: 0x00000003" /f
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a82\user: 0x00000003" /f
    3⤵
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\package: 0x00000180" /f
  2⤵
  PID:1388
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\package: 0x00000180" /f
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\user: 0x00000004" /f
  2⤵
  PID:800
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\user: 0x00000004" /f
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\_indexkeys: 55 73 65 72 5c 34 5c 31 61 38 33 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 34 5e 31 38 30 00 00" /f
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a83\_indexkeys: 55 73 65 72 5c 34 5c 31 61 38 33 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 34 5e 31 38 30 00 00" /f
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84" /f
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84" /f
    3⤵
    PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\package: 0x00000181" /f
  2⤵
  PID:1808
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\package: 0x00000181" /f
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\user: 0x00000004" /f
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\user: 0x00000004" /f
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\_indexkeys: 55 73 65 72 5c 34 5c 31 61 38 34 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 34 5e 31 38 31 00 00" /f
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\data\1a84\_indexkeys: 55 73 65 72 5c 34 5c 31 61 38 34 00 55 73 65 72 41 6e 64 50 61 63 6b 61 67 65 5c 34 5e 31 38 31 00 00" /f
    3⤵
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^180" /f
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^180" /f
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^180\1a80" /f
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^180\1a80" /f
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^181" /f
  2⤵
  PID:3584
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^181" /f
    3⤵
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^181\1a81" /f
  2⤵
  PID:3692
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^181\1a81" /f
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^182" /f
  2⤵
  PID:3628
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^182" /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^182\1a82" /f
  2⤵
  PID:2924
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\3^182\1a82" /f
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^180" /f
  2⤵
  PID:3620
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^180" /f
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^180\1a83" /f
  2⤵
  PID:2380
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^180\1a83" /f
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^181" /f
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^181" /f
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^181\1a84" /f
  2⤵
  PID:4416
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\userandpackage\4^181\1a84" /f
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a80" /f
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a80" /f
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a81" /f
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a81" /f
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a82" /f
  2⤵
  PID:1232
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\3\1a82" /f
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\4\1a83" /f
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\4\1a83" /f
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\4\1a84" /f
  2⤵
  PID:3448
- - C:\Windows\system32\reg.exe
    reg delete "hklm\software\microsoft\windows\currentversion\appmodel\staterepository\cache\packageuser\index\user\4\1a84" /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hkey_local_machinesoftwareepicgames" /f
  2⤵
  PID:388
- - C:\Windows\system32\reg.exe
    reg delete "hkey_local_machinesoftwareepicgames" /f
    3⤵
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\system\controlset001\services\beservice" /f
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg delete "hklm\system\controlset001\services\beservice" /f
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\sessioninfo\1\virtualdesktops\currentvirtualdesktop" /f
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\sessioninfo\1\virtualdesktops\currentvirtualdesktop" /f
    3⤵
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru" /f
  2⤵
  PID:3560
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru" /f
    3⤵
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru\0" /f
  2⤵
  PID:4780
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru\0" /f
    3⤵
    PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru\mrulistex" /f
  2⤵
  PID:4488
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streammru\mrulistex" /f
    3⤵
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streams\0" /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\streams\0" /f
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\rnflnagvpurng\rnflnagvpurng_frghc.rkr" /f
  2⤵
  PID:4068
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\rnflnagvpurng\rnflnagvpurng_frghc.rkr" /f
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\sbegavgrpyvrag-jva64-fuvccvat.rkr" /f
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\sbegavgrpyvrag-jva64-fuvccvat.rkr" /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\sbegavgrpyvrag-jva64-fuvccvat_rnp.rkr" /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count\{6q809377-6ns0-444o-8957-n3773s02200r}\rcvp tnzrf\sbegavgr\sbegavgrtnzr\ovanevrf\jva64\sbegavgrpyvrag-jva64-fuvccvat_rnp.rkr" /f
    3⤵
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\system\gameconfigstore\children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\system\gameconfigstore\children\03ce6902-ff58-41de-ab92-36fcaf27a580" /f
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\system\gameconfigstore\parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001\system\gameconfigstore\parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /f
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001_classes\local settings\mrtcache\c:%5cprogram files%5cwindowsapps%5cmicrosoft.xboxgamingoverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5cmicrosoft.system.package.metadata%5cs-1-5-21-2532382528-581214834-2534474248-1001-mergedresources-2.pri" /f
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg delete "hku\s-1-5-21-2532382528-581214834-2534474248-1001_classes\local settings\mrtcache\c:%5cprogram files%5cwindowsapps%5cmicrosoft.xboxgamingoverlay_2.26.28001.0_x64__8wekyb3d8bbwe%5cmicrosoft.system.package.metadata%5cs-1-5-21-2532382528-581214834-2534474248-1001-mergedresources-2.pri" /f
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "hklm\system\currentcontrolset\services\beservice" /f
  2⤵
  PID:2712
- - C:\Windows\system32\reg.exe
    reg delete "hklm\system\currentcontrolset\services\beservice" /f
    3⤵
    PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a82030fda9032b1455593d164f84ca3f

SHA1
ebf76abac6daaf1b0b2a5b15533d728cf2e69c8f

SHA256
c5aea0bf8a4249ab74b3762c2dcde58575d75117c121438e97154775438d4e14

SHA512
d82229cedda37b40fe797da597a36ab38c9a1f7dd1a0a3099006d9c0c320311bc07a4da162d0629c33a50b1c3008629416fc8d63e073c212f983dd6091b2e4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
074cb054ae011fc8c4ce9abf207f88a7

SHA1
8a9027cb69c060b06b823fe42a08e408ff6962a5

SHA256
5cfabd93c5a464d3d9a4e63247b6df815b0b833848dabf460c6ea32831fc6a78

SHA512
a20430f268db4d94a2b0e74426a3fffdcf5874d2719596d5ef8a961b8eaaa2ce2efaa94db5635db3129f74641462ad44bf81d7def04496b6ea43eb91a2eb9f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e63438317fe9f0ee8d0c3637402767ed

SHA1
e53f9e29e5aaeecc27b0b64287bb8a4c05b56adc

SHA256
bfd4fa6a5159483ca715b0c3f0c3b5ce0ff380b75e76b9fbecba0a4ff74047f7

SHA512
1204e3552db7c3447dd658a527023f50fcf293bb3e3247a3f4feff312d6b5a98acd49b4cac2819d4bd3564e711e6dc4ca3cdf05bff87def8bc9af1e8a19cae95

Download Submit
\??\pipe\LOCAL\crashpad_3468_XPRFEKTOTATKVUXA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2116-126-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/2116-125-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-4-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-0-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-1-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/2116-124-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-2-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-3-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp

Filesize
4KB

Download
memory/2116-127-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-128-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-129-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-130-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-131-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-132-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/2116-133-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

Filesize
2.0MB

Download