Analysis Overview
SHA256
4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Threat Level: Known bad
The file cleaners.zip was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Server Software Component: Terminal Services DLL
Themida packer
Event Triggered Execution: Component Object Model Hijacking
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Kills process with taskkill
Runs net.exe
Modifies registry key
Modifies registry class
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 12:35
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:05
Platform
win11-20240508-en
Max time kernel
1778s
Max time network
1787s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.19:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:05
Platform
win11-20240611-en
Max time kernel
1778s
Max time network
1508s
Command Line
Signatures
Disables service(s)
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\AutoRecover\3B72DD6E3EC71817FF6A001F937A7FBD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B12A30844EDF486DC68A883EAEE07EFD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1A912C581AC70DC296224968C7240F2E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\476C3FD56A0D8BA1E9A4920B9C079DD6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DB4B73F19DDA515AB1E7FD7FAFBFBA15.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FC4DF9001B20616C9CB1D98663B7AB78.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A9731CFE1446C44B70574B7A3A9B02A8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\5DB779D375458B0C6A4B80A5D8B0F07B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\7F269E749ABFFBDB9D9CDEE2B0A41AAF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D9FB2EA84EA550889AB9F744527912A4.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BA62993AB44625B7F9C02CD09C60C108.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\17FFDF80330024B07853138CB5AFAD9C.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\65C95633233A81A21D5557E0804A562A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\46338086849864D67B0CF6203CC83708.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0C75BF6FEE0CC2FB2C6FB6B4B0E167EF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CF8C0786491B25E81EAF9CD909AF06EA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B5A184297A8D5F53BE1B1947FF802729.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\97AFF9FD1B08479A0422F3DE41252DCB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2C142C4C15E3B8D139B98154CD083071.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D04CF75CF95177478D7A2AB8BA487705.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1E97A05DE566CF6EEAE29D0634E27392.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\092389D621F5A8834203DAAC74CCA279.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\26869DC91CC97FBAE032BEA74B1F7AB8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E64C812BDB57F02CCE1B5804475861B7.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B5BDC89EC19D4D61972165BBEEDD9E38.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A7575F8DE31A912FFE91A7A41B1E382A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DF8BF6B131E93D11C67D810B1AAE1BC3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BBC8E4A673BF0F9776AFB59B78F6037E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D0F718F60C57DAA7F0D86AE75EADAEEC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AC7364DB8095313CD61CF47141AF3F0B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A0925B7CAE67304DB8A7D8B009B810D1.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\055E3AB08EE69CBCCCA3B8F96350A405.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\9A369ECD2244BCD3426557FDA9A258A0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FE978D9B7A5E71D84CFCDA0F2EFBDBF2.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F8B5EEAA63CB208A0E9ADBD73A3443CC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BD786BABAAB72CA7E7213B34441CCEB8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\41648FA3AF58F3ACA0843F25FC7B4D28.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6DAF9757-2E37-11D2-AEC9-00C04FB68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0725C3CB-FEFB-11D0-99F9-00C04FC2F8EC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854D745C-6742-42C0-8BB9-01EC466B6E87}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D76D1B-B12E-4913-8F48-671B90195A2B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B39-CCCF-11D2-B35C-00105A1F8177}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\ = "Win32_JobObjectLimitInfo Component" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\ = "WBEM Scripting Locator" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA2AF3B4-C15E-412b-B453-557746675FB7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
C:\Windows\system32\sc.exe
sc config winmgmt start= auto
C:\Windows\system32\net.exe
net start winmgmt
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sstpsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\stortrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\subscrpt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\system.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tcpip.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsallow.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsmf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tspkg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umb.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vss.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WBEMCons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wcncsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wdigest.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFP.MOF
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\whqlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_printer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wininit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winlogon.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Winsat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wlan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WLanHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipcima.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdskq.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipicmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipiprt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipjobj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipsess.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmitimep.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdcomp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdmtp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdshext.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdsp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpd_ci.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAuto.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFx.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\xwizards.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\system.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3176 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r26983 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be5254} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee196-5993-5327-7755} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe27578-14581-5919-14270} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r15993 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r25269 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r13870 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd32490-4140-15156-31269} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE10211} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7916-14649-11141-4787} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {24036-2389-29292-32151} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 11954 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 29112 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 31508 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10092-18961-10312-17308 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30308 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {7093-20213-30475-30461} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 5495-2630-31122-18228 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 15794 /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 26168 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 2577 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 16885 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac31981 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-32073 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac7389} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-32471-28346-5584-21441} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-31238-14813-10639-14146} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30848 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 13233 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 2955 /f
C:\Windows\system32\reg.exe
reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | 1cc4c3b9bb1657be77939f0b565e315d |
| SHA1 | 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25 |
| SHA256 | 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a |
| SHA512 | fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | a656a56b1fda4aa28383160ba6ebea3b |
| SHA1 | bda09bb6f5f28f5470147113e93d46a02853dfe1 |
| SHA256 | 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318 |
| SHA512 | fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae |
C:\Windows\System32\perfh009.dat
| MD5 | efeeda97e31eb12669293d78feaff451 |
| SHA1 | f3680730a9ed165f49be4a2b1be8477196f15afb |
| SHA256 | a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834 |
| SHA512 | 452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2 |
C:\Windows\System32\perfc009.dat
| MD5 | a9ae270f03cd818fc5ccb1fc114ed0f8 |
| SHA1 | 57cfce4c18c0163fd41652ab89e4c51649eee492 |
| SHA256 | c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec |
| SHA512 | 5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:06
Platform
win11-20240508-en
Max time kernel
1759s
Max time network
1771s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2028-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:06
Platform
win11-20240508-en
Max time kernel
1792s
Max time network
1776s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1056-0-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
memory/1056-1-0x00007FFF6B487000-0x00007FFF6B489000-memory.dmp
memory/1056-3-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
memory/1056-2-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
memory/1056-4-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
memory/1056-5-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
memory/1056-6-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:06
Platform
win11-20240508-en
Max time kernel
1776s
Max time network
1786s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:06
Platform
win11-20240611-en
Max time kernel
1385s
Max time network
1178s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"
Network
| Country | Destination | Domain | Proto |
| AU | 40.79.173.41:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:05
Platform
win11-20240611-en
Max time kernel
1486s
Max time network
1510s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 12:35
Reported
2024-06-20 13:05
Platform
win11-20240611-en
Max time kernel
1487s
Max time network
1492s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\getmac.exe
getmac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |