Malware Analysis Report

2024-09-22 13:35

Sample ID 240620-prd25axdpg
Target cleaners.zip
SHA256 4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Tags
themida evasion trojan cerber execution persistence privilege_escalation ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Threat Level: Known bad

The file cleaners.zip was found to be: Known bad.

Malicious Activity Summary

themida evasion trojan cerber execution persistence privilege_escalation ransomware

Disables service(s)

Cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Server Software Component: Terminal Services DLL

Stops running service(s)

Themida packer

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Checks whether UAC is enabled

Drops file in System32 directory

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy WMI provider

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 12:33

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240611-en

Max time kernel

1790s

Max time network

1177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 65004f00630048005300200020002d002000380000000000 C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1573b5ad-3cdfe7d8-9" C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5de981ee-af27e724-0" C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1984 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1336 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 3768 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3768 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1336 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2920 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1336 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 4688 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1336 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 3200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 3200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Battle.net.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start https://applecheats.cc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8db4546f8,0x7ff8db454708,0x7ff8db454718

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,3765862282093897721,10411569270882220389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 applecheats.cc udp
US 172.67.198.40:443 applecheats.cc tcp
US 172.67.198.40:443 applecheats.cc tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 40.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 184.2.17.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 resources.guild-hosting.net udp
US 172.67.198.40:443 applecheats.cc tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/1336-0-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

memory/1336-1-0x00007FF8FA9F0000-0x00007FF8FA9F2000-memory.dmp

memory/1336-3-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

memory/1336-4-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

memory/1336-2-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

memory/1336-5-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

memory/1336-6-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_3156_WBGBQWUMDFYZQMXQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 810f3e9ca7f00d05cf3af8dfc8ea7b21
SHA1 8727fa4029396f0affccf11d263c8b140dc94b2d
SHA256 35ecbdcb545cfce6eb758908432bec5c0dc27cc54c9fc8aed50e456d110831e7
SHA512 f7be55d3d8d7bbc5a7fb97ad0a2f2c5d1ce058a55452cf851ce70283e93d237bcb722180cf196bcd0b2d7341f9944a7a8503e3b0c5ac9fee1fdca3dcc55d5ce3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 871914c2c04433259e43eec8abe5a43e
SHA1 676bd5f9073a06f4bf02e3e30b1bbd85689c906a
SHA256 e3bfa2df4317941ccc004033a885f311233a939c070d38fc2a9eb476928aadeb
SHA512 1384336ba135df0ed93d40ffce56352ddbe80ca5e6374f4eaa2ef44a02c9a4917899a7763254425049e79337256058470a539e094b787e9e53cab5ffd90ba1c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1336-77-0x00007FF614AB0000-0x00007FF615452000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c5dbdb8d-3eca-4520-bc8d-c265bb097312.tmp

MD5 67fac31b95835ed4c88762cb54b44172
SHA1 39657c91da16505d3312b35b4672aafbb4eb100a
SHA256 6917e2d6e858f2a9292efacd4293b65a6d6bd8c988aba16e845570da21620a7b
SHA512 34d083e32da23a0737d534ca67f7a2bae2b965c2691ec00a5083cd06052abcf2bb98ed72113a9c4c4f5e95913801ec3c6b12987f9f4e245ddefc5076cea3d921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c3c6c55b90a74d2d1ce87304816ac7e2
SHA1 49877172b46e5b796f2fb1a51acf6ebe5c347257
SHA256 7d35ab3d82ef4a9eb2e5f3da4c56d4dc303900c5c7a42413c42be17bb9214dee
SHA512 a832e9f21fc775e1bba68b5b15a4ff64bc6b1ef7617ea6722195e4688bb36e88717d73aff8587f0aa9a773d225b6dac0aa766daff2503578e87ce9e6433b2118

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d39ec6f2f159e5d8ebf5008c310913ea
SHA1 22a26d6e9254d5140746916e509fbe815c6310c1
SHA256 14d1f6a54464abca29748baceb27de202e3cf7e5b5763d2e21181f86d8a00d61
SHA512 08b4cc00a2c201e49a1e62b630b71f43012e281f71ee7a68cdf00609c90c91b728cf79d11e290706a5d3ca348952360598f6495c7209184522ee6ddd3a0f0410

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f47de81b-e9c7-4168-afc0-49e5327307eb.tmp

MD5 b36f9c2a4a113b68b3e389b34292ed30
SHA1 40c8b8fa7a25ecf468243b23beb2e8efbcf4fa61
SHA256 87c2c4121a9b2fed50d809b63b222c4311adde0d731b2957b40c66065743b966
SHA512 b1dbfc12b5b5d1e5d7a79494cbd465ee0e8d26335d2aff0b110fd631e69ef260799d134bbc163696d86c670be492d69dae086493e5bd2b7e3b78902086e17cfe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240508-en

Max time kernel

454s

Max time network

1176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240611-en

Max time kernel

1680s

Max time network

1174s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/5104-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240611-en

Max time kernel

1794s

Max time network

1804s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\getmac.exe

getmac

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4064,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1312,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Signatures

Cerber

ransomware cerber

Disables service(s)

evasion execution

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" C:\Windows\system32\regsvr32.exe N/A

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EDF3F610F6DA16B8F758D81ADD6764AC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\38EE6C630467A006990C5977C3058C94.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2572593894B364FF5F52C71028D4F15D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\90E799DE6A9A6DAC2AB6C559BB0ED353.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4273CA093A54B161AE6A9FA019048CE8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0772EA28C9AD9F026AA9F29EE684B717.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AFFA4734C9FA7C4A3BDE5528A94427A4.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C81ACF420917AA0F87487BC4D958BEB4.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D97D08E4902AC1BCF40C06435990ED69.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EC334120AAC576B5B016EFBD4CB50498.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3E2C8A6A5EEECAC8DDDF4B502F3D3118.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\844A429FB6680A32838047A6271F8CD9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\45D6D48D4A97E9A81DFF8FF65D16E53D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\40CD8A341670967C555998737DB91D5B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CCBF2F68BDFF431067DD1663E0BB092D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof C:\Windows\System32\wbem\mofcomp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\software\classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\Implemented Categories\{00000003-0000-0000-C000-000000000046} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\DllSurrogate C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\ = "ConfigurationProvider Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88F3781C-6902-4647-9A6B-A74F450AF861}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv.1\ = "Win32_JobObject Provider Component" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv\ = "Win32_JobObjectLimitInfo Component" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime\CurVer\ = "WbemScripting.SWbemDateTime.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\classes\AppID\winmgmt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\winmgmt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\CurVer\ = "WMICntl.WMISnapin.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6919DD07-1637-4611-A8A7-C16FAC5B2D53}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4AF3F4A4-06C8-4B79-A523-633CC65CE297}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
PID 4740 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE
PID 4740 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Spoofer.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1972 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1972 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1972 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1972 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1472 wrote to memory of 1200 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1472 wrote to memory of 1200 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WdacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wfascim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_EncryptableVolume.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_Tpm.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WinMgmtR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRes.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRpl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMICOOKR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiDcPrv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipcima.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdskq.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfClass.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfInst.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPICMP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPIPRT.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPJOBJ.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPrvSD.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPSESS.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmitimep.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiutils.dll

C:\Windows\System32\wbem\WmiPrvSE.exe

wmiprvse /regserver

C:\Windows\System32\wbem\WinMgmt.exe

winmgmt /regserver

C:\Windows\system32\sc.exe

sc config winmgmt start= auto

C:\Windows\system32\net.exe

net start winmgmt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\aeinv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AuditRsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\authfwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\bcd.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimdmtf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimwin32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\CIWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\classlog.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cli.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cliegaliases.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ddp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsjob.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsroam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\drvinst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dscproxy.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscTimer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dsprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\eaimeapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdPHost.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdrespub.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdSSDP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWNet.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWSD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\filetrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\firewallapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FunDisc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hbaapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hnetcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\interop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipmiprv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipsecsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsidsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsihba.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiprf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsirem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\kerberos.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\krnlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\L2SecHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdio.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lsasrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mblctr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mmc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mountmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpeval.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpsdrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpssvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeeds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeedsbs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msiscsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstscax.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msv1_0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mswmdm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ndistrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netprofm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\networkitemfactory.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\newdev.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlasvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\npivwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nshipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntevt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-mesh.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PolicMan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polproc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprocl.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprou.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polstore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\powermeterprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\RacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpendp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpinit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpshell.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refsv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\regevent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rspndr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\samsrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scersop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\schannel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SchedProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scrcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sdbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\secrcw32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\services.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\setupapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smbwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smtpcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sppwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sr.mof

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 82.242.123.52.in-addr.arpa udp

Files

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 1cc4c3b9bb1657be77939f0b565e315d
SHA1 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25
SHA256 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a
SHA512 fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 a656a56b1fda4aa28383160ba6ebea3b
SHA1 bda09bb6f5f28f5470147113e93d46a02853dfe1
SHA256 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318
SHA512 fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

C:\Windows\System32\perfh00A.dat

MD5 4e62108a0d4a00aa39624f4f941d2595
SHA1 7fbff1d3ac293c715a303ac37da0ceb12591028b
SHA256 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263
SHA512 c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh00C.dat

MD5 b87c7ea0e738fc61eb32a94fbd6c6775
SHA1 0e730aa70900f623205b93cb1d6e11be4c0d51b5
SHA256 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0
SHA512 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

C:\Windows\System32\perfc00C.dat

MD5 6adbb878124fcd6561655718f12bff5f
SHA1 1711619dda04178fb47eea6658da6ad52f6cf660
SHA256 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA512 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

C:\Windows\System32\perfh010.dat

MD5 77a299c7d27f4e4372cd6c1de0781586
SHA1 bb6bf16619da6d0acc30797cd10978bde64892fd
SHA256 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf
SHA512 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

C:\Windows\System32\perfc010.dat

MD5 c0a264734479700068f6e00ef4fd4aa7
SHA1 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA256 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA512 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

C:\Windows\System32\perfh011.dat

MD5 a8bc9760fe491ad0305212839f5caaaf
SHA1 e5aa69598284bc55ef94adcf3745053650179f42
SHA256 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b
SHA512 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1803s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

Signatures

Disables service(s)

evasion execution

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" C:\Windows\system32\regsvr32.exe N/A

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\AutoRecover\EDBF963FB003D0670AA9C2219BD091FB.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\45D6D48D4A97E9A81DFF8FF65D16E53D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\581973D722356C6D6F812AA82C9672A5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C8CB28C0C2CA72C0C9CFE6A7C2369F6F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1102992BCFD268BB67CEF17EF90BD944.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\885A56BB8B1696DBC099A29D28BB3D1D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DD2E62153552EA285FA273046EAB94B7.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3BB77EBFD75B7086053A09DC3A25E355.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AFDA9D2CA693B44A2C46D80A3E311ACD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6F096B7D28A95FE5E8A47222B749D137.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6171B05B386ED99F0FA8FB138118111A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\40D9B516941493C1CBB823CD248F4B35.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D0035C04586CA68105E617C9FF87EA79.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\070646108BD2E03A20D78B04D8233FF3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\03DE10D374EFFB94AB99BF6CE6A8238D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\ADE307452D6C84EC8BE606699DFFD89E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\80284AB7783435319F5D7799340F6DD6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1294DF9252D50CEAB212BF12AB8BCED8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\9AF10F83B065FC41909808E762FD7897.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1711B779926254C7677446C72A3357DD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A8769F4B35986AF406AF014FBF2F5E0E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\46085E5E756C882D3F6F01D32A3F8D24.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2CFB5B149FA396D1AEA5F89B1C5A8D81.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CCBF2F68BDFF431067DD1663E0BB092D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F3198D3969274A0C1B60E81C0811D9FC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\178965049DAE0FAAF44B19FC13A8C147.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C59549B4F20BC001A0A645775AB7BE45.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E472716186F8104B95B7D3BC14528AED.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1301D23A046E36454E9C1C4A9599D2BF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B84577778865FB1CDE19342E82E29918.mof C:\Windows\System32\wbem\mofcomp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\ = "WBEM Scripting Object Path 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CD184336-9128-11D1-AD9B-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C9273E0-1DC3-11D3-B364-00105A1F8177} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemDateTime C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1\ = "Win32_JobObjectSecLimitInfo Component" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\AccessPermission = 010004804800000054000000000000001400000002003400020000000100180001000000010200000000000520000000210200000000140001000000010100000000000512000000010100000000000512000000010100000000000512000000 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} C:\Windows\System32\wbem\WmiPrvSE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6B661-167E-4957-AD77-286AB256585E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F72CC7A-74A0-45B4-909C-14FB8186DD7E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet\CurVer\ = "WbemScripting.SWbemNamedValueSet.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A210BFE9-C9F7-4919-B114-0D98B3D5341E}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\ = "Win32_JobObjectSecLimitInfo Component" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\ = "UevConfigurationProvider Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemNamedValueSet.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48FF3109-A366-4B56-B340-01FAE758BA64}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C9273E0-1DC3-11D3-B364-00105A1F8177}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107A-B06E-11D0-AD61-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCProv.NCProvider\ = "NCProvider Class" C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4540 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4540 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4540 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4540 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4540 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 724 wrote to memory of 1136 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 724 wrote to memory of 1136 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4540 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4540 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WdacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wfascim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_EncryptableVolume.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_Tpm.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WinMgmtR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRes.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRpl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMICOOKR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiDcPrv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipcima.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdskq.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfClass.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfInst.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPICMP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPIPRT.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPJOBJ.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPrvSD.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPSESS.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmitimep.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiutils.dll

C:\Windows\System32\wbem\WmiPrvSE.exe

wmiprvse /regserver

C:\Windows\System32\wbem\WinMgmt.exe

winmgmt /regserver

C:\Windows\system32\sc.exe

sc config winmgmt start= auto

C:\Windows\system32\net.exe

net start winmgmt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\aeinv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AuditRsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\authfwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\bcd.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimdmtf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimwin32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\CIWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\classlog.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cli.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cliegaliases.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ddp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsjob.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsroam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\drvinst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dscproxy.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscTimer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dsprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\eaimeapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdPHost.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdrespub.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdSSDP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWNet.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWSD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\filetrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\firewallapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FunDisc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hbaapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hnetcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\interop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipmiprv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipsecsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsidsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsihba.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiprf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsirem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\kerberos.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\krnlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\L2SecHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdio.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lsasrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mblctr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mmc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mountmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpeval.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpsdrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpssvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeeds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeedsbs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msiscsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstscax.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msv1_0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mswmdm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ndistrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netprofm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\networkitemfactory.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\newdev.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlasvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\npivwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nshipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntevt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-mesh.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PolicMan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polproc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprocl.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprou.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polstore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\powermeterprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\RacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpendp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpinit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpshell.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refsv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\regevent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rspndr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\samsrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scersop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\schannel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SchedProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scrcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sdbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\secrcw32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\services.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\setupapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smbwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smtpcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sppwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sstpsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\stortrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\subscrpt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\system.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tcpip.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsallow.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tscfgwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsmf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tspkg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umb.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpnpmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vss.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WBEMCons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wcncsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wdigest.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFAPIGP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFP.MOF

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\whqlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_printer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wininit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winlogon.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Winsat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wlan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WLanHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipcima.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdskq.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipicmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipiprt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipjobj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipsess.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmitimep.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmpnetwk.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdbusenum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdcomp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdmtp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdshext.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdsp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpd_ci.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wscenter.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAuto.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFx.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\xwizards.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 a656a56b1fda4aa28383160ba6ebea3b
SHA1 bda09bb6f5f28f5470147113e93d46a02853dfe1
SHA256 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318
SHA512 fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 1cc4c3b9bb1657be77939f0b565e315d
SHA1 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25
SHA256 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a
SHA512 fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh00A.dat

MD5 4e62108a0d4a00aa39624f4f941d2595
SHA1 7fbff1d3ac293c715a303ac37da0ceb12591028b
SHA256 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263
SHA512 c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh010.dat

MD5 77a299c7d27f4e4372cd6c1de0781586
SHA1 bb6bf16619da6d0acc30797cd10978bde64892fd
SHA256 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf
SHA512 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b

C:\Windows\System32\perfh00C.dat

MD5 b87c7ea0e738fc61eb32a94fbd6c6775
SHA1 0e730aa70900f623205b93cb1d6e11be4c0d51b5
SHA256 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0
SHA512 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

C:\Windows\System32\perfh011.dat

MD5 a8bc9760fe491ad0305212839f5caaaf
SHA1 e5aa69598284bc55ef94adcf3745053650179f42
SHA256 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b
SHA512 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13

C:\Windows\System32\perfc00C.dat

MD5 6adbb878124fcd6561655718f12bff5f
SHA1 1711619dda04178fb47eea6658da6ad52f6cf660
SHA256 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA512 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

C:\Windows\System32\perfc010.dat

MD5 c0a264734479700068f6e00ef4fd4aa7
SHA1 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd
SHA256 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735
SHA512 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240508-en

Max time kernel

1674s

Max time network

1684s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 12:33

Reported

2024-06-20 13:03

Platform

win10v2004-20240508-en

Max time kernel

1571s

Max time network

1588s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Network

Files

N/A