Analysis Overview
SHA256
4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Threat Level: Known bad
The file cleaners.zip was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Cerber
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Server Software Component: Terminal Services DLL
Stops running service(s)
Themida packer
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Checks whether UAC is enabled
Drops file in System32 directory
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy WMI provider
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 12:33
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240611-en
Max time kernel
1790s
Max time network
1177s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 65004f00630048005300200020002d002000380000000000 | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1573b5ad-3cdfe7d8-9" | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5de981ee-af27e724-0" | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://applecheats.cc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8db4546f8,0x7ff8db454708,0x7ff8db454718
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | applecheats.cc | udp |
| US | 172.67.198.40:443 | applecheats.cc | tcp |
| US | 172.67.198.40:443 | applecheats.cc | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| US | 8.8.8.8:53 | 40.198.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | tcp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 184.2.17.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resources.guild-hosting.net | udp |
| US | 172.67.198.40:443 | applecheats.cc | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/1336-0-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
memory/1336-1-0x00007FF8FA9F0000-0x00007FF8FA9F2000-memory.dmp
memory/1336-3-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
memory/1336-4-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
memory/1336-2-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
memory/1336-5-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
memory/1336-6-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c39b3aa574c0c938c80eb263bb450311 |
| SHA1 | f4d11275b63f4f906be7a55ec6ca050c62c18c88 |
| SHA256 | 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c |
| SHA512 | eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232 |
\??\pipe\LOCAL\crashpad_3156_WBGBQWUMDFYZQMXQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dabfafd78687947a9de64dd5b776d25f |
| SHA1 | 16084c74980dbad713f9d332091985808b436dea |
| SHA256 | c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201 |
| SHA512 | dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 810f3e9ca7f00d05cf3af8dfc8ea7b21 |
| SHA1 | 8727fa4029396f0affccf11d263c8b140dc94b2d |
| SHA256 | 35ecbdcb545cfce6eb758908432bec5c0dc27cc54c9fc8aed50e456d110831e7 |
| SHA512 | f7be55d3d8d7bbc5a7fb97ad0a2f2c5d1ce058a55452cf851ce70283e93d237bcb722180cf196bcd0b2d7341f9944a7a8503e3b0c5ac9fee1fdca3dcc55d5ce3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 871914c2c04433259e43eec8abe5a43e |
| SHA1 | 676bd5f9073a06f4bf02e3e30b1bbd85689c906a |
| SHA256 | e3bfa2df4317941ccc004033a885f311233a939c070d38fc2a9eb476928aadeb |
| SHA512 | 1384336ba135df0ed93d40ffce56352ddbe80ca5e6374f4eaa2ef44a02c9a4917899a7763254425049e79337256058470a539e094b787e9e53cab5ffd90ba1c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/1336-77-0x00007FF614AB0000-0x00007FF615452000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c5dbdb8d-3eca-4520-bc8d-c265bb097312.tmp
| MD5 | 67fac31b95835ed4c88762cb54b44172 |
| SHA1 | 39657c91da16505d3312b35b4672aafbb4eb100a |
| SHA256 | 6917e2d6e858f2a9292efacd4293b65a6d6bd8c988aba16e845570da21620a7b |
| SHA512 | 34d083e32da23a0737d534ca67f7a2bae2b965c2691ec00a5083cd06052abcf2bb98ed72113a9c4c4f5e95913801ec3c6b12987f9f4e245ddefc5076cea3d921 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c3c6c55b90a74d2d1ce87304816ac7e2 |
| SHA1 | 49877172b46e5b796f2fb1a51acf6ebe5c347257 |
| SHA256 | 7d35ab3d82ef4a9eb2e5f3da4c56d4dc303900c5c7a42413c42be17bb9214dee |
| SHA512 | a832e9f21fc775e1bba68b5b15a4ff64bc6b1ef7617ea6722195e4688bb36e88717d73aff8587f0aa9a773d225b6dac0aa766daff2503578e87ce9e6433b2118 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d39ec6f2f159e5d8ebf5008c310913ea |
| SHA1 | 22a26d6e9254d5140746916e509fbe815c6310c1 |
| SHA256 | 14d1f6a54464abca29748baceb27de202e3cf7e5b5763d2e21181f86d8a00d61 |
| SHA512 | 08b4cc00a2c201e49a1e62b630b71f43012e281f71ee7a68cdf00609c90c91b728cf79d11e290706a5d3ca348952360598f6495c7209184522ee6ddd3a0f0410 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f47de81b-e9c7-4168-afc0-49e5327307eb.tmp
| MD5 | b36f9c2a4a113b68b3e389b34292ed30 |
| SHA1 | 40c8b8fa7a25ecf468243b23beb2e8efbcf4fa61 |
| SHA256 | 87c2c4121a9b2fed50d809b63b222c4311adde0d731b2957b40c66065743b966 |
| SHA512 | b1dbfc12b5b5d1e5d7a79494cbd465ee0e8d26335d2aff0b110fd631e69ef260799d134bbc163696d86c670be492d69dae086493e5bd2b7e3b78902086e17cfe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240508-en
Max time kernel
454s
Max time network
1176s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240611-en
Max time kernel
1680s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/5104-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1804s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\getmac.exe
getmac
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4064,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1312,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
Cerber
Disables service(s)
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EDF3F610F6DA16B8F758D81ADD6764AC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\38EE6C630467A006990C5977C3058C94.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2572593894B364FF5F52C71028D4F15D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\90E799DE6A9A6DAC2AB6C559BB0ED353.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4273CA093A54B161AE6A9FA019048CE8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0772EA28C9AD9F026AA9F29EE684B717.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\WRITABLE.TST | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AFFA4734C9FA7C4A3BDE5528A94427A4.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C81ACF420917AA0F87487BC4D958BEB4.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D97D08E4902AC1BCF40C06435990ED69.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EC334120AAC576B5B016EFBD4CB50498.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3E2C8A6A5EEECAC8DDDF4B502F3D3118.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\844A429FB6680A32838047A6271F8CD9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\45D6D48D4A97E9A81DFF8FF65D16E53D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\40CD8A341670967C555998737DB91D5B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\INDEX.BTR | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CCBF2F68BDFF431067DD1663E0BB092D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\Implemented Categories\{00000003-0000-0000-C000-000000000046} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\DllSurrogate | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\ = "ConfigurationProvider Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88F3781C-6902-4647-9A6B-A74F450AF861}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv.1\ = "Win32_JobObject Provider Component" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv\ = "Win32_JobObjectLimitInfo Component" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime\CurVer\ = "WbemScripting.SWbemDateTime.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\classes\AppID\winmgmt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\winmgmt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\CurVer\ = "WMICntl.WMISnapin.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6919DD07-1637-4611-A8A7-C16FAC5B2D53}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4AF3F4A4-06C8-4B79-A523-633CC65CE297}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
C:\Windows\system32\sc.exe
sc config winmgmt start= auto
C:\Windows\system32\net.exe
net start winmgmt
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.242.123.52.in-addr.arpa | udp |
Files
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | 1cc4c3b9bb1657be77939f0b565e315d |
| SHA1 | 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25 |
| SHA256 | 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a |
| SHA512 | fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | a656a56b1fda4aa28383160ba6ebea3b |
| SHA1 | bda09bb6f5f28f5470147113e93d46a02853dfe1 |
| SHA256 | 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318 |
| SHA512 | fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
C:\Windows\System32\perfh00A.dat
| MD5 | 4e62108a0d4a00aa39624f4f941d2595 |
| SHA1 | 7fbff1d3ac293c715a303ac37da0ceb12591028b |
| SHA256 | 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263 |
| SHA512 | c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh00C.dat
| MD5 | b87c7ea0e738fc61eb32a94fbd6c6775 |
| SHA1 | 0e730aa70900f623205b93cb1d6e11be4c0d51b5 |
| SHA256 | 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0 |
| SHA512 | 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d |
C:\Windows\System32\perfc00C.dat
| MD5 | 6adbb878124fcd6561655718f12bff5f |
| SHA1 | 1711619dda04178fb47eea6658da6ad52f6cf660 |
| SHA256 | 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf |
| SHA512 | 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006 |
C:\Windows\System32\perfh010.dat
| MD5 | 77a299c7d27f4e4372cd6c1de0781586 |
| SHA1 | bb6bf16619da6d0acc30797cd10978bde64892fd |
| SHA256 | 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf |
| SHA512 | 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b |
C:\Windows\System32\perfc010.dat
| MD5 | c0a264734479700068f6e00ef4fd4aa7 |
| SHA1 | 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd |
| SHA256 | 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735 |
| SHA512 | 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca |
C:\Windows\System32\perfh011.dat
| MD5 | a8bc9760fe491ad0305212839f5caaaf |
| SHA1 | e5aa69598284bc55ef94adcf3745053650179f42 |
| SHA256 | 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b |
| SHA512 | 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
Disables service(s)
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\AutoRecover\EDBF963FB003D0670AA9C2219BD091FB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\45D6D48D4A97E9A81DFF8FF65D16E53D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\581973D722356C6D6F812AA82C9672A5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C8CB28C0C2CA72C0C9CFE6A7C2369F6F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING1.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1102992BCFD268BB67CEF17EF90BD944.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\885A56BB8B1696DBC099A29D28BB3D1D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DD2E62153552EA285FA273046EAB94B7.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3BB77EBFD75B7086053A09DC3A25E355.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AFDA9D2CA693B44A2C46D80A3E311ACD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6F096B7D28A95FE5E8A47222B749D137.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6171B05B386ED99F0FA8FB138118111A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\40D9B516941493C1CBB823CD248F4B35.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D0035C04586CA68105E617C9FF87EA79.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\070646108BD2E03A20D78B04D8233FF3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\03DE10D374EFFB94AB99BF6CE6A8238D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\ADE307452D6C84EC8BE606699DFFD89E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\80284AB7783435319F5D7799340F6DD6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1294DF9252D50CEAB212BF12AB8BCED8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\9AF10F83B065FC41909808E762FD7897.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1711B779926254C7677446C72A3357DD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A8769F4B35986AF406AF014FBF2F5E0E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\46085E5E756C882D3F6F01D32A3F8D24.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2CFB5B149FA396D1AEA5F89B1C5A8D81.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CCBF2F68BDFF431067DD1663E0BB092D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F3198D3969274A0C1B60E81C0811D9FC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\178965049DAE0FAAF44B19FC13A8C147.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C59549B4F20BC001A0A645775AB7BE45.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E472716186F8104B95B7D3BC14528AED.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1301D23A046E36454E9C1C4A9599D2BF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B84577778865FB1CDE19342E82E29918.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\ = "WBEM Scripting Object Path 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CD184336-9128-11D1-AD9B-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C9273E0-1DC3-11D3-B364-00105A1F8177} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemDateTime | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1\ = "Win32_JobObjectSecLimitInfo Component" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\AccessPermission = 010004804800000054000000000000001400000002003400020000000100180001000000010200000000000520000000210200000000140001000000010100000000000512000000010100000000000512000000010100000000000512000000 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} | C:\Windows\System32\wbem\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6B661-167E-4957-AD77-286AB256585E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F72CC7A-74A0-45B4-909C-14FB8186DD7E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet\CurVer\ = "WbemScripting.SWbemNamedValueSet.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A210BFE9-C9F7-4919-B114-0D98B3D5341E}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\ = "Win32_JobObjectSecLimitInfo Component" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\ = "UevConfigurationProvider Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemNamedValueSet.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48FF3109-A366-4B56-B340-01FAE758BA64}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C9273E0-1DC3-11D3-B364-00105A1F8177}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107A-B06E-11D0-AD61-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NCProv.NCProvider\ = "NCProvider Class" | C:\Windows\system32\regsvr32.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
C:\Windows\system32\sc.exe
sc config winmgmt start= auto
C:\Windows\system32\net.exe
net start winmgmt
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sstpsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\stortrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\subscrpt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\system.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tcpip.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsallow.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsmf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tspkg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umb.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vss.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WBEMCons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wcncsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wdigest.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFP.MOF
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\whqlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_printer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wininit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winlogon.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Winsat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wlan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WLanHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipcima.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdskq.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipicmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipiprt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipjobj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipsess.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmitimep.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdcomp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdmtp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdshext.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdsp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpd_ci.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wscenter.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAuto.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFx.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\xwizards.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | a656a56b1fda4aa28383160ba6ebea3b |
| SHA1 | bda09bb6f5f28f5470147113e93d46a02853dfe1 |
| SHA256 | 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318 |
| SHA512 | fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | 1cc4c3b9bb1657be77939f0b565e315d |
| SHA1 | 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25 |
| SHA256 | 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a |
| SHA512 | fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef |
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh00A.dat
| MD5 | 4e62108a0d4a00aa39624f4f941d2595 |
| SHA1 | 7fbff1d3ac293c715a303ac37da0ceb12591028b |
| SHA256 | 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263 |
| SHA512 | c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh010.dat
| MD5 | 77a299c7d27f4e4372cd6c1de0781586 |
| SHA1 | bb6bf16619da6d0acc30797cd10978bde64892fd |
| SHA256 | 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf |
| SHA512 | 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b |
C:\Windows\System32\perfh00C.dat
| MD5 | b87c7ea0e738fc61eb32a94fbd6c6775 |
| SHA1 | 0e730aa70900f623205b93cb1d6e11be4c0d51b5 |
| SHA256 | 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0 |
| SHA512 | 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d |
C:\Windows\System32\perfh011.dat
| MD5 | a8bc9760fe491ad0305212839f5caaaf |
| SHA1 | e5aa69598284bc55ef94adcf3745053650179f42 |
| SHA256 | 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b |
| SHA512 | 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13 |
C:\Windows\System32\perfc00C.dat
| MD5 | 6adbb878124fcd6561655718f12bff5f |
| SHA1 | 1711619dda04178fb47eea6658da6ad52f6cf660 |
| SHA256 | 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf |
| SHA512 | 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006 |
C:\Windows\System32\perfc010.dat
| MD5 | c0a264734479700068f6e00ef4fd4aa7 |
| SHA1 | 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd |
| SHA256 | 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735 |
| SHA512 | 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240508-en
Max time kernel
1674s
Max time network
1684s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 12:33
Reported
2024-06-20 13:03
Platform
win10v2004-20240508-en
Max time kernel
1571s
Max time network
1588s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys