cerber | 4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10-07-2024 02:30

240710-czl2gstcke 10

20-06-2024 12:39

20-06-2024 12:36

20-06-2024 12:35

20-06-2024 12:33

Analysis

max time kernel
1794s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoofer.exe
Size

24KB
MD5

7a4a3fea89bfe8810ef9835273d6fc84
SHA1

cd411d7d4eed7b622ca2d1ea5495055da76216ee
SHA256

2d9b399a3a584808b4bd38d9f6a12752e2b02875f92252f944a5bd7bf129e2f0
SHA512

a921faf7de2ae61421432ba176ef7254f005bc052d41054019d1fbc5714c213266c598a64cd4c3edd4cec35130e3ce8d7595bb2bcc7c669a20d69b0ca93277d4
SSDEEP

384:IfedtZWjBkCUo6tqt7glQcpF3dPBlcR8lfZKlD04tEGD4PTeB2DKiES3M+f:KVgtrYD0iEG4SBWUS3f

Score

10^/10

cerber evasion execution persistence privilege_escalation ransomware

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDF3F610F6DA16B8F758D81ADD6764AC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\38EE6C630467A006990C5977C3058C94.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2572593894B364FF5F52C71028D4F15D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof	mofcomp.exe
File created	C:\Windows\system32\perfc010.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\90E799DE6A9A6DAC2AB6C559BB0ED353.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof	mofcomp.exe
File created	C:\Windows\system32\perfh007.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4273CA093A54B161AE6A9FA019048CE8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0772EA28C9AD9F026AA9F29EE684B717.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\AFFA4734C9FA7C4A3BDE5528A94427A4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C81ACF420917AA0F87487BC4D958BEB4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D97D08E4902AC1BCF40C06435990ED69.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EC334120AAC576B5B016EFBD4CB50498.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3E2C8A6A5EEECAC8DDDF4B502F3D3118.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\844A429FB6680A32838047A6271F8CD9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\45D6D48D4A97E9A81DFF8FF65D16E53D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof	mofcomp.exe
File created	C:\Windows\system32\perfh011.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\40CD8A341670967C555998737DB91D5B.mof	mofcomp.exe
File created	C:\Windows\system32\perfc009.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof	mofcomp.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	regsvr32.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\CCBF2F68BDFF431067DD1663E0BB092D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof	mofcomp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2300	sc.exe
2856	sc.exe
3560	sc.exe
3240	sc.exe
2016	sc.exe
4020	sc.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
4860	taskkill.exe
3948	taskkill.exe
3492	taskkill.exe
2384	taskkill.exe
4908	taskkill.exe
2208	taskkill.exe
2672	taskkill.exe
716	taskkill.exe
1756	taskkill.exe
1992	taskkill.exe
5084	taskkill.exe
4204	taskkill.exe
4608	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\Implemented Categories\{00000003-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\DllSurrogate	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\ = "ConfigurationProvider Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88F3781C-6902-4647-9A6B-A74F450AF861}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv.1\ = "Win32_JobObject Provider Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv\ = "Win32_JobObjectLimitInfo Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime\CurVer\ = "WbemScripting.SWbemDateTime.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\classes\AppID\winmgmt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\winmgmt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\CurVer\ = "WMICntl.WMISnapin.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6919DD07-1637-4611-A8A7-C16FAC5B2D53}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4AF3F4A4-06C8-4B79-A523-633CC65CE297}\InprocServer32	regsvr32.exe

Runs net.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeSecurityPrivilege	5084	mofcomp.exe
Token: SeAssignPrimaryTokenPrivilege	4432	svchost.exe
Token: SeIncreaseQuotaPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeTakeOwnershipPrivilege	4432	svchost.exe
Token: SeLoadDriverPrivilege	4432	svchost.exe
Token: SeSystemtimePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeShutdownPrivilege	4432	svchost.exe
Token: SeSystemEnvironmentPrivilege	4432	svchost.exe
Token: SeUndockPrivilege	4432	svchost.exe
Token: SeManageVolumePrivilege	4432	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4432	svchost.exe
Token: SeIncreaseQuotaPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeTakeOwnershipPrivilege	4432	svchost.exe
Token: SeLoadDriverPrivilege	4432	svchost.exe
Token: SeSystemtimePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeShutdownPrivilege	4432	svchost.exe
Token: SeSystemEnvironmentPrivilege	4432	svchost.exe
Token: SeUndockPrivilege	4432	svchost.exe
Token: SeManageVolumePrivilege	4432	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4432	svchost.exe
Token: SeIncreaseQuotaPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeTakeOwnershipPrivilege	4432	svchost.exe
Token: SeLoadDriverPrivilege	4432	svchost.exe
Token: SeSystemtimePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeShutdownPrivilege	4432	svchost.exe
Token: SeSystemEnvironmentPrivilege	4432	svchost.exe
Token: SeUndockPrivilege	4432	svchost.exe
Token: SeManageVolumePrivilege	4432	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4432	svchost.exe
Token: SeIncreaseQuotaPrivilege	4432	svchost.exe
Token: SeSecurityPrivilege	4432	svchost.exe
Token: SeTakeOwnershipPrivilege	4432	svchost.exe
Token: SeLoadDriverPrivilege	4432	svchost.exe
Token: SeSystemtimePrivilege	4432	svchost.exe
Token: SeBackupPrivilege	4432	svchost.exe
Token: SeRestorePrivilege	4432	svchost.exe
Token: SeShutdownPrivilege	4432	svchost.exe
Token: SeSystemEnvironmentPrivilege	4432	svchost.exe
Token: SeUndockPrivilege	4432	svchost.exe
Token: SeManageVolumePrivilege	4432	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4432	svchost.exe
Token: SeIncreaseQuotaPrivilege	4432	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 696	4740	Spoofer.exe	104
PID 4740 wrote to memory of 696	4740	Spoofer.exe	104
PID 4740 wrote to memory of 1532	4740	Spoofer.exe	105
PID 4740 wrote to memory of 1532	4740	Spoofer.exe	105
PID 4740 wrote to memory of 2028	4740	Spoofer.exe	106
PID 4740 wrote to memory of 2028	4740	Spoofer.exe	106
PID 4740 wrote to memory of 3812	4740	Spoofer.exe	107
PID 4740 wrote to memory of 3812	4740	Spoofer.exe	107
PID 4740 wrote to memory of 2312	4740	Spoofer.exe	108
PID 4740 wrote to memory of 2312	4740	Spoofer.exe	108
PID 4740 wrote to memory of 1592	4740	Spoofer.exe	109
PID 4740 wrote to memory of 1592	4740	Spoofer.exe	109
PID 4740 wrote to memory of 3476	4740	Spoofer.exe	110
PID 4740 wrote to memory of 3476	4740	Spoofer.exe	110
PID 4740 wrote to memory of 3432	4740	Spoofer.exe	111
PID 4740 wrote to memory of 3432	4740	Spoofer.exe	111
PID 4740 wrote to memory of 3284	4740	Spoofer.exe	112
PID 4740 wrote to memory of 3284	4740	Spoofer.exe	112
PID 4740 wrote to memory of 4384	4740	Spoofer.exe	113
PID 4740 wrote to memory of 4384	4740	Spoofer.exe	113
PID 4740 wrote to memory of 1972	4740	Spoofer.exe	114
PID 4740 wrote to memory of 1972	4740	Spoofer.exe	114
PID 1972 wrote to memory of 5052	1972	cmd.exe	115
PID 1972 wrote to memory of 5052	1972	cmd.exe	115
PID 1972 wrote to memory of 2208	1972	cmd.exe	116
PID 1972 wrote to memory of 2208	1972	cmd.exe	116
PID 1972 wrote to memory of 2672	1972	cmd.exe	117
PID 1972 wrote to memory of 2672	1972	cmd.exe	117
PID 1972 wrote to memory of 4860	1972	cmd.exe	118
PID 1972 wrote to memory of 4860	1972	cmd.exe	118
PID 1972 wrote to memory of 3948	1972	cmd.exe	119
PID 1972 wrote to memory of 3948	1972	cmd.exe	119
PID 1972 wrote to memory of 3492	1972	cmd.exe	120
PID 1972 wrote to memory of 3492	1972	cmd.exe	120
PID 1972 wrote to memory of 2384	1972	cmd.exe	121
PID 1972 wrote to memory of 2384	1972	cmd.exe	121
PID 1972 wrote to memory of 4204	1972	cmd.exe	122
PID 1972 wrote to memory of 4204	1972	cmd.exe	122
PID 1972 wrote to memory of 716	1972	cmd.exe	123
PID 1972 wrote to memory of 716	1972	cmd.exe	123
PID 1972 wrote to memory of 1756	1972	cmd.exe	124
PID 1972 wrote to memory of 1756	1972	cmd.exe	124
PID 1972 wrote to memory of 4908	1972	cmd.exe	125
PID 1972 wrote to memory of 4908	1972	cmd.exe	125
PID 1972 wrote to memory of 1992	1972	cmd.exe	126
PID 1972 wrote to memory of 1992	1972	cmd.exe	126
PID 1972 wrote to memory of 5084	1972	cmd.exe	127
PID 1972 wrote to memory of 5084	1972	cmd.exe	127
PID 1972 wrote to memory of 4608	1972	cmd.exe	128
PID 1972 wrote to memory of 4608	1972	cmd.exe	128
PID 1972 wrote to memory of 2300	1972	cmd.exe	129
PID 1972 wrote to memory of 2300	1972	cmd.exe	129
PID 1972 wrote to memory of 2856	1972	cmd.exe	130
PID 1972 wrote to memory of 2856	1972	cmd.exe	130
PID 1972 wrote to memory of 3560	1972	cmd.exe	131
PID 1972 wrote to memory of 3560	1972	cmd.exe	131
PID 1972 wrote to memory of 3240	1972	cmd.exe	132
PID 1972 wrote to memory of 3240	1972	cmd.exe	132
PID 1972 wrote to memory of 2016	1972	cmd.exe	133
PID 1972 wrote to memory of 2016	1972	cmd.exe	133
PID 1972 wrote to memory of 1472	1972	cmd.exe	134
PID 1972 wrote to memory of 1472	1972	cmd.exe	134
PID 1472 wrote to memory of 1200	1472	net.exe	135
PID 1472 wrote to memory of 1200	1472	net.exe	135

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
  2⤵
  PID:696
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
  2⤵
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
  2⤵
  PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
  2⤵
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
  2⤵
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:5052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im UnrealCEFSubProcess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CEFProcess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\system32\sc.exe
    Sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\system32\sc.exe
    Sc stop FortniteClient-Win64-Shipping_EAC
    3⤵
    - Launches sc.exe
    PID:2856
- - C:\Windows\system32\sc.exe
    Sc stop BattleEye
    3⤵
    - Launches sc.exe
    PID:3560
- - C:\Windows\system32\sc.exe
    Sc stop FortniteClient-Win64-Shipping_BE
    3⤵
    - Launches sc.exe
    PID:3240
- - C:\Windows\system32\sc.exe
    sc config winmgmt start= disabled
    3⤵
    - Launches sc.exe
    PID:2016
- - C:\Windows\system32\net.exe
    net stop winmgmt /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b *.dll
    3⤵
    PID:1976
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s appbackgroundtask.dll
    3⤵
    PID:3880
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s cimwin32.dll
    3⤵
    PID:732
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s DMWmiBridgeProv.dll
    3⤵
    PID:2260
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s DMWmiBridgeProv1.dll
    3⤵
    PID:1216
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dnsclientcim.dll
    3⤵
    PID:3696
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dnsclientpsprovider.dll
    3⤵
    PID:4012
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Dscpspluginwkr.dll
    3⤵
    PID:3000
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dsprov.dll
    3⤵
    PID:4036
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s EmbeddedLockdownWmi.dll
    3⤵
    PID:552
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s esscli.dll
    3⤵
    PID:3856
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s EventTracingManagement.dll
    3⤵
    PID:1600
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s fastprox.dll
    3⤵
    - Modifies registry class
    PID:3644
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ipmiprr.dll
    3⤵
    PID:3724
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ipmiprv.dll
    3⤵
    PID:2416
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s KrnlProv.dll
    3⤵
    - Modifies registry class
    PID:4008
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MDMAppProv.dll
    3⤵
    PID:4844
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MDMSettingsProv.dll
    3⤵
    PID:428
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
    3⤵
    PID:3596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Microsoft.Uev.AgentWmi.dll
    3⤵
    - Modifies registry class
    PID:3648
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MMFUtil.dll
    3⤵
    PID:624
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s mofd.dll
    3⤵
    - Modifies registry class
    PID:2364
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s mofinstall.dll
    3⤵
    PID:4348
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s msdtcwmi.dll
    3⤵
    PID:1816
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s msiprov.dll
    3⤵
    PID:2428
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NCProv.dll
    3⤵
    PID:3272
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ndisimplatcim.dll
    3⤵
    PID:3016
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetAdapterCim.dll
    3⤵
    PID:4368
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netdacim.dll
    3⤵
    PID:1596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetEventPacketCapture.dll
    3⤵
    PID:2388
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netnccim.dll
    3⤵
    PID:1892
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetPeerDistCim.dll
    3⤵
    PID:412
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netswitchteamcim.dll
    3⤵
    PID:2792
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetTCPIP.dll
    3⤵
    PID:1332
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netttcim.dll
    3⤵
    PID:1480
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s nlmcim.dll
    3⤵
    PID:2180
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ntevt.dll
    3⤵
    PID:4596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s PolicMan.dll
    3⤵
    PID:4524
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s PrintManagementProvider.dll
    3⤵
    PID:3492
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s qoswmi.dll
    3⤵
    PID:4508
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s RacWmiProv.dll
    3⤵
    - Modifies registry class
    PID:1512
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s repdrvfs.dll
    3⤵
    PID:864
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s schedprov.dll
    3⤵
    PID:4840
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ServDeps.dll
    3⤵
    PID:1964
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s SMTPCons.dll
    3⤵
    PID:3940
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s stdprov.dll
    3⤵
    PID:3956
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vdswmi.dll
    3⤵
    - Modifies registry class
    PID:4792
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s viewprov.dll
    3⤵
    PID:4908
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vpnclientpsprovider.dll
    3⤵
    PID:1632
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vsswmi.dll
    3⤵
    PID:1992
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcntl.dll
    3⤵
    - Modifies registry class
    PID:1648
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcons.dll
    3⤵
    - Modifies registry class
    PID:5084
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcore.dll
    3⤵
    - Modifies registry class
    PID:2400
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemdisp.dll
    3⤵
    - Modifies registry class
    PID:4608
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemess.dll
    3⤵
    - Modifies registry class
    PID:2300
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemprox.dll
    3⤵
    PID:2856
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemsvc.dll
    3⤵
    - Modifies registry class
    PID:3560
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WdacWmiProv.dll
    3⤵
    PID:3240
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wfascim.dll
    3⤵
    PID:5000
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Win32_EncryptableVolume.dll
    3⤵
    PID:2188
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Win32_Tpm.dll
    3⤵
    PID:3092
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WinMgmtR.dll
    3⤵
    PID:548
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiApRes.dll
    3⤵
    PID:3104
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiApRpl.dll
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:640
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMICOOKR.dll
    3⤵
    PID:4308
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiDcPrv.dll
    3⤵
    - Modifies registry class
    PID:4900
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipcima.dll
    3⤵
    PID:2692
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipdfs.dll
    3⤵
    PID:1116
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipdskq.dll
    3⤵
    - Modifies registry class
    PID:2672
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPerfClass.dll
    3⤵
    PID:4044
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPerfInst.dll
    3⤵
    PID:1420
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPICMP.dll
    3⤵
    PID:4672
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPIPRT.dll
    3⤵
    PID:4212
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPJOBJ.dll
    3⤵
    - Modifies registry class
    PID:3800
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmiprov.dll
    3⤵
    - Modifies registry class
    PID:3640
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPrvSD.dll
    3⤵
    - Modifies registry class
    PID:4724
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPSESS.dll
    3⤵
    - Modifies registry class
    PID:316
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIsvc.dll
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry class
    PID:4556
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmitimep.dll
    3⤵
    PID:1304
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmiutils.dll
    3⤵
    - Modifies registry class
    PID:116
- - C:\Windows\System32\wbem\WmiPrvSE.exe
    wmiprvse /regserver
    3⤵
    PID:3816
- - C:\Windows\System32\wbem\WinMgmt.exe
    winmgmt /regserver
    3⤵
    PID:836
- - C:\Windows\system32\sc.exe
    sc config winmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\system32\net.exe
    net start winmgmt
    3⤵
    PID:4836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start winmgmt
      4⤵
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
    3⤵
    PID:3888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\aeinv.mof
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AgentWmi.mof
    3⤵
    - Drops file in System32 directory
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
    3⤵
    - Drops file in System32 directory
    PID:1384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
    3⤵
    - Drops file in System32 directory
    PID:3488
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
    3⤵
    PID:2740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AuditRsop.mof
    3⤵
    - Drops file in System32 directory
    PID:1976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\authfwcfg.mof
    3⤵
    PID:2260
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\bcd.mof
    3⤵
    PID:4036
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
    3⤵
    PID:4340
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cimdmtf.mof
    3⤵
    - Drops file in System32 directory
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cimwin32.mof
    3⤵
    PID:5072
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\CIWmi.mof
    3⤵
    PID:4968
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\classlog.mof
    3⤵
    PID:1088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cli.mof
    3⤵
    PID:3344
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cliegaliases.mof
    3⤵
    PID:4368
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ddp.mof
    3⤵
    - Drops file in System32 directory
    PID:5052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dimsjob.mof
    3⤵
    PID:812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dimsroam.mof
    3⤵
    PID:4524
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
    3⤵
    - Drops file in System32 directory
    PID:3640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
    3⤵
    PID:3964
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
    3⤵
    PID:3956
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
    3⤵
    PID:1468
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
    3⤵
    - Drops file in System32 directory
    PID:1288
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
    3⤵
    - Drops file in System32 directory
    PID:2620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
    3⤵
    PID:3004
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\drvinst.mof
    3⤵
    PID:2280
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscCore.mof
    3⤵
    PID:4228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
    3⤵
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dscproxy.mof
    3⤵
    - Drops file in System32 directory
    PID:4300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscTimer.mof
    3⤵
    PID:4816
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dsprov.mof
    3⤵
    - Drops file in System32 directory
    PID:4632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\eaimeapi.mof
    3⤵
    PID:4992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
    3⤵
    - Drops file in System32 directory
    PID:3724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
    3⤵
    PID:4160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
    3⤵
    - Drops file in System32 directory
    PID:5104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdPHost.mof
    3⤵
    PID:4196
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdrespub.mof
    3⤵
    PID:624
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdSSDP.mof
    3⤵
    PID:3268
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdWNet.mof
    3⤵
    PID:2480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdWSD.mof
    3⤵
    PID:1180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\filetrace.mof
    3⤵
    PID:2056
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\firewallapi.mof
    3⤵
    PID:1580
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
    3⤵
    - Drops file in System32 directory
    PID:1116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\FunDisc.mof
    3⤵
    PID:3948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fwcfg.mof
    3⤵
    PID:2384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\hbaapi.mof
    3⤵
    - Drops file in System32 directory
    PID:2664
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\hnetcfg.mof
    3⤵
    PID:3640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
    3⤵
    PID:716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
    3⤵
    PID:4548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
    3⤵
    PID:588
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\interop.mof
    3⤵
    PID:4796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
    3⤵
    PID:4848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ipmiprv.mof
    3⤵
    PID:4952
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
    3⤵
    PID:3104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
    3⤵
    PID:1652
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsidsc.mof
    3⤵
    - Drops file in System32 directory
    PID:2740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsihba.mof
    3⤵
    - Drops file in System32 directory
    PID:2092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiprf.mof
    3⤵
    PID:1380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsirem.mof
    3⤵
    PID:4312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
    3⤵
    - Drops file in System32 directory
    PID:1776
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
    3⤵
    PID:4884
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\kerberos.mof
    3⤵
    - Drops file in System32 directory
    PID:2220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\krnlprov.mof
    3⤵
    - Drops file in System32 directory
    PID:396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\L2SecHC.mof
    3⤵
    - Drops file in System32 directory
    PID:696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lltdio.mof
    3⤵
    PID:4196
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lltdsvc.mof
    3⤵
    PID:624
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lsasrv.mof
    3⤵
    PID:3268
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mblctr.mof
    3⤵
    PID:2480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
    3⤵
    PID:1180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
    3⤵
    PID:3400
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
    3⤵
    - Drops file in System32 directory
    PID:4564
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
    3⤵
    - Drops file in System32 directory
    PID:3828
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
    3⤵
    PID:3308
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
    3⤵
    PID:4204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
    3⤵
    - Drops file in System32 directory
    PID:1964
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
    3⤵
    PID:1852
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
    3⤵
    PID:8
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mispace.mof
    3⤵
    PID:3068
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
    3⤵
    PID:3100
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mmc.mof
    3⤵
    PID:2696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mountmgr.mof
    3⤵
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpeval.mof
    3⤵
    - Drops file in System32 directory
    PID:4920
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpsdrv.mof
    3⤵
    PID:3336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpssvc.mof
    3⤵
    PID:4240
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
    3⤵
    PID:4300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msfeeds.mof
    3⤵
    PID:2088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
    3⤵
    PID:4592
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msi.mof
    3⤵
    - Drops file in System32 directory
    PID:1924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msiscsi.mof
    3⤵
    PID:4720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
    3⤵
    - Drops file in System32 directory
    PID:1996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mstsc.mof
    3⤵
    PID:4844
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mstscax.mof
    3⤵
    - Drops file in System32 directory
    PID:3648
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msv1_0.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mswmdm.mof
    3⤵
    PID:4348
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ncprov.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ncsi.mof
    3⤵
    PID:2480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ndistrace.mof
    3⤵
    - Drops file in System32 directory
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
    3⤵
    PID:1480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
    3⤵
    PID:1420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
    3⤵
    PID:3948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
    3⤵
    PID:1512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netdacim.mof
    3⤵
    - Drops file in System32 directory
    PID:2664
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
    3⤵
    PID:2116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
    3⤵
    - Drops file in System32 directory
    PID:4792
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
    3⤵
    PID:2400
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netnccim.mof
    3⤵
    PID:4796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
    3⤵
    PID:548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
    3⤵
    - Drops file in System32 directory
    PID:2212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
    3⤵
    PID:2720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netprofm.mof
    3⤵
    PID:3236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
    3⤵
    PID:1880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
    3⤵
    - Drops file in System32 directory
    PID:5056
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
    3⤵
    PID:3852
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netttcim.mof
    3⤵
    - Drops file in System32 directory
    PID:1920
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
    3⤵
    PID:3856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
    3⤵
    PID:1600
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\newdev.mof
    3⤵
    PID:3724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlasvc.mof
    3⤵
    PID:2156
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlmcim.mof
    3⤵
    - Drops file in System32 directory
    PID:4460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
    3⤵
    PID:4968
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlsvc.mof
    3⤵
    - Drops file in System32 directory
    PID:3648
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\npivwmi.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nshipsec.mof
    3⤵
    PID:2676
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ntevt.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ntfs.mof
    3⤵
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
    3⤵
    - Drops file in System32 directory
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
    3⤵
    PID:1480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
    3⤵
    PID:1608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
    3⤵
    PID:3948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
    3⤵
    PID:1512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
    3⤵
    PID:836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
    3⤵
    PID:2116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
    3⤵
    PID:3512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
    3⤵
    PID:3740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PolicMan.mof
    3⤵
    PID:1424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polproc.mof
    3⤵
    PID:5060
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polprocl.mof
    3⤵
    PID:2268
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polprou.mof
    3⤵
    PID:3104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polstore.mof
    3⤵
    PID:2644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
    3⤵
    PID:1472
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
    3⤵
    PID:4528
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
    3⤵
    PID:4088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
    3⤵
    PID:1380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
    3⤵
    PID:4340
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
    3⤵
    PID:2416
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
    3⤵
    - Drops file in System32 directory
    PID:4804
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
    3⤵
    PID:2156
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
    3⤵
    - Drops file in System32 directory
    PID:4460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
    3⤵
    PID:3476
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
    3⤵
    - Drops file in System32 directory
    PID:3648
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
    3⤵
    - Drops file in System32 directory
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
    3⤵
    PID:4308
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qmgr.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmi.mof
    3⤵
    - Drops file in System32 directory
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
    3⤵
    - Drops file in System32 directory
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
    3⤵
    PID:4444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
    3⤵
    PID:1420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
    3⤵
    PID:4840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpendp.mof
    3⤵
    - Drops file in System32 directory
    PID:1632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpinit.mof
    3⤵
    - Drops file in System32 directory
    PID:4836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpshell.mof
    3⤵
    - Drops file in System32 directory
    PID:2116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\refs.mof
    3⤵
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\refsv1.mof
    3⤵
    - Drops file in System32 directory
    PID:2608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\regevent.mof
    3⤵
    PID:3672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
    3⤵
    PID:3488
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rsop.mof
    3⤵
    - Drops file in System32 directory
    PID:336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rspndr.mof
    3⤵
    PID:552
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\samsrv.mof
    3⤵
    PID:2092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scersop.mof
    3⤵
    - Drops file in System32 directory
    PID:1548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\schannel.mof
    3⤵
    PID:4816
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SchedProv.mof
    3⤵
    - Drops file in System32 directory
    PID:2924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scm.mof
    3⤵
    PID:3792
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scrcons.mof
    3⤵
    - Drops file in System32 directory
    PID:2220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sdbus.mof
    3⤵
    PID:4160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\secrcw32.mof
    3⤵
    PID:2312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
    3⤵
    PID:3432
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ServiceModel.mof
    3⤵
    - Drops file in System32 directory
    PID:4348
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
    3⤵
    PID:3904
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\services.mof
    3⤵
    PID:2324
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\setupapi.mof
    3⤵
    PID:4860
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
    3⤵
    PID:4212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
    3⤵
    PID:1480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\smtpcons.mof
    3⤵
    - Drops file in System32 directory
    PID:4524
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sppwmi.mof
    3⤵
    PID:1608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sr.mof
    3⤵
    PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4432
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:4348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
142KB

MD5
1bd26a75846ce780d72b93caffac89f6

SHA1
ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

SHA256
55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

SHA512
4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
147KB

MD5
6d4b430c2abf0ec4ca1909e6e2f097db

SHA1
97c330923a6380fe8ea8e440ce2c568594d3fff7

SHA256
44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

SHA512
cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6adbb878124fcd6561655718f12bff5f

SHA1
1711619dda04178fb47eea6658da6ad52f6cf660

SHA256
0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

SHA512
88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
c0a264734479700068f6e00ef4fd4aa7

SHA1
4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd

SHA256
71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735

SHA512
85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
125KB

MD5
eef14d868d4e0c2354c345abc4902445

SHA1
173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

SHA256
9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

SHA512
c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
710KB

MD5
82d7f8765db25b313ecf436572dbe840

SHA1
da9ed48d5386a1133f878b3e00988cbf4cdebab8

SHA256
3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

SHA512
59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
680KB

MD5
407f4fed9a4510646f33a2869a184de8

SHA1
e2e622f36b28057bbfbaee754ab6abac2de04778

SHA256
64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615

SHA512
1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
754KB

MD5
4e62108a0d4a00aa39624f4f941d2595

SHA1
7fbff1d3ac293c715a303ac37da0ceb12591028b

SHA256
3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263

SHA512
c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
758KB

MD5
b87c7ea0e738fc61eb32a94fbd6c6775

SHA1
0e730aa70900f623205b93cb1d6e11be4c0d51b5

SHA256
6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0

SHA512
4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
747KB

MD5
77a299c7d27f4e4372cd6c1de0781586

SHA1
bb6bf16619da6d0acc30797cd10978bde64892fd

SHA256
6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf

SHA512
21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
462KB

MD5
a8bc9760fe491ad0305212839f5caaaf

SHA1
e5aa69598284bc55ef94adcf3745053650179f42

SHA256
6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b

SHA512
4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit