Malware Analysis Report

2024-09-22 13:28

Sample ID 240620-psqgjs1hrm
Target cleaners.zip
SHA256 4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Tags
evasion execution persistence privilege_escalation themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Threat Level: Known bad

The file cleaners.zip was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence privilege_escalation themida trojan

Disables service(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Server Software Component: Terminal Services DLL

Themida packer

Event Triggered Execution: Component Object Model Hijacking

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Kills process with taskkill

Runs net.exe

Modifies registry key

Modifies registry class

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 12:35

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:05

Platform

win11-20240508-en

Max time kernel

1778s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:05

Platform

win11-20240611-en

Max time kernel

1778s

Max time network

1508s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

Signatures

Disables service(s)

evasion execution

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" C:\Windows\system32\regsvr32.exe N/A

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\AutoRecover\3B72DD6E3EC71817FF6A001F937A7FBD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B12A30844EDF486DC68A883EAEE07EFD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1A912C581AC70DC296224968C7240F2E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\476C3FD56A0D8BA1E9A4920B9C079DD6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DB4B73F19DDA515AB1E7FD7FAFBFBA15.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FC4DF9001B20616C9CB1D98663B7AB78.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A9731CFE1446C44B70574B7A3A9B02A8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\5DB779D375458B0C6A4B80A5D8B0F07B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\7F269E749ABFFBDB9D9CDEE2B0A41AAF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D9FB2EA84EA550889AB9F744527912A4.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BA62993AB44625B7F9C02CD09C60C108.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\17FFDF80330024B07853138CB5AFAD9C.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\65C95633233A81A21D5557E0804A562A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\46338086849864D67B0CF6203CC83708.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0C75BF6FEE0CC2FB2C6FB6B4B0E167EF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CF8C0786491B25E81EAF9CD909AF06EA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B5A184297A8D5F53BE1B1947FF802729.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\97AFF9FD1B08479A0422F3DE41252DCB.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2C142C4C15E3B8D139B98154CD083071.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D04CF75CF95177478D7A2AB8BA487705.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1E97A05DE566CF6EEAE29D0634E27392.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\092389D621F5A8834203DAAC74CCA279.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\26869DC91CC97FBAE032BEA74B1F7AB8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E64C812BDB57F02CCE1B5804475861B7.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B5BDC89EC19D4D61972165BBEEDD9E38.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A7575F8DE31A912FFE91A7A41B1E382A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DF8BF6B131E93D11C67D810B1AAE1BC3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BBC8E4A673BF0F9776AFB59B78F6037E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D0F718F60C57DAA7F0D86AE75EADAEEC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AC7364DB8095313CD61CF47141AF3F0B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A0925B7CAE67304DB8A7D8B009B810D1.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\055E3AB08EE69CBCCCA3B8F96350A405.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\9A369ECD2244BCD3426557FDA9A258A0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FE978D9B7A5E71D84CFCDA0F2EFBDBF2.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F8B5EEAA63CB208A0E9ADBD73A3443CC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BD786BABAAB72CA7E7213B34441CCEB8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\41648FA3AF58F3ACA0843F25FC7B4D28.mof C:\Windows\System32\wbem\mofcomp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6DAF9757-2E37-11D2-AEC9-00C04FB68820} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0725C3CB-FEFB-11D0-99F9-00C04FC2F8EC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854D745C-6742-42C0-8BB9-01EC466B6E87}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D76D1B-B12E-4913-8F48-671B90195A2B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B39-CCCF-11D2-B35C-00105A1F8177}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\ = "Win32_JobObjectLimitInfo Component" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\ = "WBEM Scripting Locator" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA2AF3B4-C15E-412b-B453-557746675FB7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2316 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2316 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2316 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2316 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2316 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 648 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 648 wrote to memory of 4280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2316 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2316 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WdacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wfascim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_EncryptableVolume.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_Tpm.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WinMgmtR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRes.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRpl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMICOOKR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiDcPrv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipcima.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdskq.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfClass.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfInst.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPICMP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPIPRT.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPJOBJ.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPrvSD.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPSESS.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmitimep.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiutils.dll

C:\Windows\System32\wbem\WmiPrvSE.exe

wmiprvse /regserver

C:\Windows\System32\wbem\WinMgmt.exe

winmgmt /regserver

C:\Windows\system32\sc.exe

sc config winmgmt start= auto

C:\Windows\system32\net.exe

net start winmgmt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\aeinv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AuditRsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\authfwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\bcd.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimdmtf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimwin32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\CIWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\classlog.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cli.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cliegaliases.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ddp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsjob.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsroam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\drvinst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dscproxy.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscTimer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dsprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\eaimeapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdPHost.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdrespub.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdSSDP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWNet.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWSD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\filetrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\firewallapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FunDisc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hbaapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hnetcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\interop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipmiprv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipsecsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsidsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsihba.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiprf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsirem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\kerberos.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\krnlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\L2SecHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdio.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lsasrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mblctr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mmc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mountmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpeval.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpsdrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpssvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeeds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeedsbs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msiscsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstscax.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msv1_0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mswmdm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ndistrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netprofm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\networkitemfactory.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\newdev.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlasvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\npivwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nshipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntevt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-mesh.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PolicMan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polproc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprocl.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprou.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polstore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\powermeterprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\RacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpendp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpinit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpshell.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refsv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\regevent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rspndr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\samsrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scersop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\schannel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SchedProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scrcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sdbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\secrcw32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\services.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\setupapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smbwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smtpcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sppwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sstpsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\stortrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\subscrpt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\system.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tcpip.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsallow.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tscfgwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsmf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tspkg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umb.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpnpmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vss.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WBEMCons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wcncsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wdigest.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFAPIGP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFP.MOF

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\whqlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_printer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wininit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winlogon.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Winsat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wlan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WLanHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipcima.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdskq.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipicmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipiprt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipjobj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipsess.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmitimep.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmpnetwk.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdbusenum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdcomp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdmtp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdshext.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdsp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpd_ci.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAuto.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFx.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\xwizards.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cli.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\interop.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\sr.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\system.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vds.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vss.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3176 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r26983 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be5254} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee196-5993-5327-7755} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe27578-14581-5919-14270} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r15993 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r25269 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r13870 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd32490-4140-15156-31269} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE10211} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7916-14649-11141-4787} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {24036-2389-29292-32151} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 11954 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 29112 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 31508 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10092-18961-10312-17308 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30308 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {7093-20213-30475-30461} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 5495-2630-31122-18228 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 15794 /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 26168 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 2577 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 16885 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac31981 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-32073 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac7389} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-32471-28346-5584-21441} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-31238-14813-10639-14146} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30848 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 13233 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 2955 /f

C:\Windows\system32\reg.exe

reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 1cc4c3b9bb1657be77939f0b565e315d
SHA1 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25
SHA256 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a
SHA512 fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 a656a56b1fda4aa28383160ba6ebea3b
SHA1 bda09bb6f5f28f5470147113e93d46a02853dfe1
SHA256 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318
SHA512 fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

C:\Windows\System32\perfh009.dat

MD5 efeeda97e31eb12669293d78feaff451
SHA1 f3680730a9ed165f49be4a2b1be8477196f15afb
SHA256 a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834
SHA512 452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

C:\Windows\System32\perfc009.dat

MD5 a9ae270f03cd818fc5ccb1fc114ed0f8
SHA1 57cfce4c18c0163fd41652ab89e4c51649eee492
SHA256 c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec
SHA512 5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:06

Platform

win11-20240508-en

Max time kernel

1759s

Max time network

1771s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2028-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:06

Platform

win11-20240508-en

Max time kernel

1792s

Max time network

1776s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Battle.net.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1056-0-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

memory/1056-1-0x00007FFF6B487000-0x00007FFF6B489000-memory.dmp

memory/1056-3-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

memory/1056-2-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

memory/1056-4-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

memory/1056-5-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

memory/1056-6-0x00007FF6AB0E0000-0x00007FF6ABA82000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:06

Platform

win11-20240508-en

Max time kernel

1776s

Max time network

1786s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:06

Platform

win11-20240611-en

Max time kernel

1385s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:05

Platform

win11-20240611-en

Max time kernel

1486s

Max time network

1510s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 12:35

Reported

2024-06-20 13:05

Platform

win11-20240611-en

Max time kernel

1487s

Max time network

1492s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\getmac.exe

getmac

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A