4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10-07-2024 02:30

240710-czl2gstcke 10

20-06-2024 12:39

20-06-2024 12:36

20-06-2024 12:35

20-06-2024 12:33

Analysis

max time kernel
50s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaners/cleaner.bat
Size

3.2MB
MD5

0bef79984a785d284e225d3576239802
SHA1

0a759883c5cd8822f269eca241c4dc8c43d86220
SHA256

33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
SHA512

d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
SSDEEP

49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

Score

10^/10

evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\35EB6C02B117E434146AA8FBB46726E5.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDB67A550428BB2A8DBDA687D67BEDE0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4DA76711B649774E2516E995C467959F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9792C1210EF405B66D63B9792E3E9FB3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3EDC3F5A95D3A0FDFE1F87C15DC9636A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D209D533EE8C97B5E2C46D035373F422.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\ADC76C6473F1C3722A0A86C2A9AED340.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CF51101DC59379E7F60810810207A111.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F28042F231A5DCF3E9C8B9281BDDB127.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D80ABEF43AC4A2C62D2B29E15FD0B491.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\3BB9AB7BAA63F54A0832A3003DBC2FD0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E43B6945ACF1515A895841AF9B9D052D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FB42973CC6B430B383BA62328763E302.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\450512ECD76473C20A379EF7244766DA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7D6B7E546103D56B9114BA0B4F5FB99C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\42C894EEACAD83A4E41154685841B3E1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof	mofcomp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4520	sc.exe
4596	sc.exe
8	sc.exe
1936	sc.exe
896	sc.exe
3204	sc.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
3040	taskkill.exe
4156	taskkill.exe
1372	taskkill.exe
4848	taskkill.exe
2656	taskkill.exe
4264	taskkill.exe
3060	taskkill.exe
2580	taskkill.exe
1420	taskkill.exe
2568	taskkill.exe
1152	taskkill.exe
4272	taskkill.exe
2876	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CurVer\ = "WbemScripting.SWbemLocator.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{8bc3f05e-d86b-11d0-a075-00c04fb68820}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemRefresher	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7016F8FA-CCDA-11D2-B35C-00105A1F8177}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0438D53A-9A57-423C-9E54-9612C4576257}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CurVer\ = "JobObjectProv.JobObjectProv.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{443E7B79-DE31-11D2-B340-00104BCC4B4A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D97-D993-11D2-B339-00105A1F4AAF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32	regsvr32.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

pid	Process
2688	reg.exe
2880	reg.exe
1364	reg.exe
872	reg.exe
4652	reg.exe
3100	reg.exe
4404	reg.exe
2360	reg.exe
4648	reg.exe
1540	reg.exe
2728	reg.exe
4988	reg.exe
3984	reg.exe
4928	reg.exe
1700	reg.exe
1588	reg.exe
2876	reg.exe
3308	reg.exe
1936	reg.exe
412	reg.exe
2284	reg.exe
4868	reg.exe
2060	reg.exe
5052	reg.exe
2468	reg.exe
1464	reg.exe
1932	reg.exe
1580	reg.exe
1836	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeSecurityPrivilege	4452	mofcomp.exe
Token: SeAssignPrimaryTokenPrivilege	3136	svchost.exe
Token: SeIncreaseQuotaPrivilege	3136	svchost.exe
Token: SeSecurityPrivilege	3136	svchost.exe
Token: SeTakeOwnershipPrivilege	3136	svchost.exe
Token: SeLoadDriverPrivilege	3136	svchost.exe
Token: SeSystemtimePrivilege	3136	svchost.exe
Token: SeBackupPrivilege	3136	svchost.exe
Token: SeRestorePrivilege	3136	svchost.exe
Token: SeShutdownPrivilege	3136	svchost.exe
Token: SeSystemEnvironmentPrivilege	3136	svchost.exe
Token: SeUndockPrivilege	3136	svchost.exe
Token: SeManageVolumePrivilege	3136	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3136	svchost.exe
Token: SeIncreaseQuotaPrivilege	3136	svchost.exe
Token: SeSecurityPrivilege	3136	svchost.exe
Token: SeTakeOwnershipPrivilege	3136	svchost.exe
Token: SeLoadDriverPrivilege	3136	svchost.exe
Token: SeSystemtimePrivilege	3136	svchost.exe
Token: SeBackupPrivilege	3136	svchost.exe
Token: SeRestorePrivilege	3136	svchost.exe
Token: SeShutdownPrivilege	3136	svchost.exe
Token: SeSystemEnvironmentPrivilege	3136	svchost.exe
Token: SeUndockPrivilege	3136	svchost.exe
Token: SeManageVolumePrivilege	3136	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3136	svchost.exe
Token: SeIncreaseQuotaPrivilege	3136	svchost.exe
Token: SeSecurityPrivilege	3136	svchost.exe
Token: SeTakeOwnershipPrivilege	3136	svchost.exe
Token: SeLoadDriverPrivilege	3136	svchost.exe
Token: SeSystemtimePrivilege	3136	svchost.exe
Token: SeBackupPrivilege	3136	svchost.exe
Token: SeRestorePrivilege	3136	svchost.exe
Token: SeShutdownPrivilege	3136	svchost.exe
Token: SeSystemEnvironmentPrivilege	3136	svchost.exe
Token: SeUndockPrivilege	3136	svchost.exe
Token: SeManageVolumePrivilege	3136	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3136	svchost.exe
Token: SeIncreaseQuotaPrivilege	3136	svchost.exe
Token: SeSecurityPrivilege	3136	svchost.exe
Token: SeTakeOwnershipPrivilege	3136	svchost.exe
Token: SeLoadDriverPrivilege	3136	svchost.exe
Token: SeSystemtimePrivilege	3136	svchost.exe
Token: SeBackupPrivilege	3136	svchost.exe
Token: SeRestorePrivilege	3136	svchost.exe
Token: SeShutdownPrivilege	3136	svchost.exe
Token: SeSystemEnvironmentPrivilege	3136	svchost.exe
Token: SeUndockPrivilege	3136	svchost.exe
Token: SeManageVolumePrivilege	3136	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3136	svchost.exe
Token: SeIncreaseQuotaPrivilege	3136	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 4788	1188	cmd.exe	82
PID 1188 wrote to memory of 4788	1188	cmd.exe	82
PID 1188 wrote to memory of 4156	1188	cmd.exe	83
PID 1188 wrote to memory of 4156	1188	cmd.exe	83
PID 1188 wrote to memory of 3060	1188	cmd.exe	85
PID 1188 wrote to memory of 3060	1188	cmd.exe	85
PID 1188 wrote to memory of 2580	1188	cmd.exe	86
PID 1188 wrote to memory of 2580	1188	cmd.exe	86
PID 1188 wrote to memory of 1420	1188	cmd.exe	87
PID 1188 wrote to memory of 1420	1188	cmd.exe	87
PID 1188 wrote to memory of 4272	1188	cmd.exe	88
PID 1188 wrote to memory of 4272	1188	cmd.exe	88
PID 1188 wrote to memory of 1372	1188	cmd.exe	89
PID 1188 wrote to memory of 1372	1188	cmd.exe	89
PID 1188 wrote to memory of 4848	1188	cmd.exe	90
PID 1188 wrote to memory of 4848	1188	cmd.exe	90
PID 1188 wrote to memory of 2656	1188	cmd.exe	91
PID 1188 wrote to memory of 2656	1188	cmd.exe	91
PID 1188 wrote to memory of 3040	1188	cmd.exe	92
PID 1188 wrote to memory of 3040	1188	cmd.exe	92
PID 1188 wrote to memory of 2876	1188	cmd.exe	93
PID 1188 wrote to memory of 2876	1188	cmd.exe	93
PID 1188 wrote to memory of 2568	1188	cmd.exe	94
PID 1188 wrote to memory of 2568	1188	cmd.exe	94
PID 1188 wrote to memory of 1152	1188	cmd.exe	95
PID 1188 wrote to memory of 1152	1188	cmd.exe	95
PID 1188 wrote to memory of 4264	1188	cmd.exe	96
PID 1188 wrote to memory of 4264	1188	cmd.exe	96
PID 1188 wrote to memory of 4520	1188	cmd.exe	97
PID 1188 wrote to memory of 4520	1188	cmd.exe	97
PID 1188 wrote to memory of 4596	1188	cmd.exe	98
PID 1188 wrote to memory of 4596	1188	cmd.exe	98
PID 1188 wrote to memory of 8	1188	cmd.exe	99
PID 1188 wrote to memory of 8	1188	cmd.exe	99
PID 1188 wrote to memory of 1936	1188	cmd.exe	100
PID 1188 wrote to memory of 1936	1188	cmd.exe	100
PID 1188 wrote to memory of 896	1188	cmd.exe	101
PID 1188 wrote to memory of 896	1188	cmd.exe	101
PID 1188 wrote to memory of 768	1188	cmd.exe	102
PID 1188 wrote to memory of 768	1188	cmd.exe	102
PID 768 wrote to memory of 2460	768	net.exe	103
PID 768 wrote to memory of 2460	768	net.exe	103
PID 1188 wrote to memory of 4184	1188	cmd.exe	104
PID 1188 wrote to memory of 4184	1188	cmd.exe	104
PID 1188 wrote to memory of 2456	1188	cmd.exe	105
PID 1188 wrote to memory of 2456	1188	cmd.exe	105
PID 1188 wrote to memory of 4600	1188	cmd.exe	106
PID 1188 wrote to memory of 4600	1188	cmd.exe	106
PID 1188 wrote to memory of 2832	1188	cmd.exe	107
PID 1188 wrote to memory of 2832	1188	cmd.exe	107
PID 1188 wrote to memory of 4256	1188	cmd.exe	108
PID 1188 wrote to memory of 4256	1188	cmd.exe	108
PID 1188 wrote to memory of 760	1188	cmd.exe	109
PID 1188 wrote to memory of 760	1188	cmd.exe	109
PID 1188 wrote to memory of 3588	1188	cmd.exe	110
PID 1188 wrote to memory of 3588	1188	cmd.exe	110
PID 1188 wrote to memory of 5104	1188	cmd.exe	111
PID 1188 wrote to memory of 5104	1188	cmd.exe	111
PID 1188 wrote to memory of 2864	1188	cmd.exe	112
PID 1188 wrote to memory of 2864	1188	cmd.exe	112
PID 1188 wrote to memory of 3184	1188	cmd.exe	113
PID 1188 wrote to memory of 3184	1188	cmd.exe	113
PID 1188 wrote to memory of 4152	1188	cmd.exe	114
PID 1188 wrote to memory of 4152	1188	cmd.exe	114

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4788
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  PID:4596
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:8
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  PID:1936
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:896
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:4184
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s appbackgroundtask.dll
  2⤵
  PID:2456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  PID:4600
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv.dll
  2⤵
  PID:2832
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv1.dll
  2⤵
  PID:4256
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientcim.dll
  2⤵
  PID:760
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientpsprovider.dll
  2⤵
  PID:3588
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Dscpspluginwkr.dll
  2⤵
  PID:5104
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  - Modifies registry class
  PID:2864
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EmbeddedLockdownWmi.dll
  2⤵
  PID:3184
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  PID:4152
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EventTracingManagement.dll
  2⤵
  PID:3404
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Modifies registry class
  PID:836
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprr.dll
  2⤵
  PID:4400
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprv.dll
  2⤵
  - Modifies registry class
  PID:3576
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  - Modifies registry class
  PID:752
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMAppProv.dll
  2⤵
  PID:1968
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMSettingsProv.dll
  2⤵
  PID:840
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
  2⤵
  PID:1348
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.Uev.AgentWmi.dll
  2⤵
  - Modifies registry class
  PID:1860
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  PID:1520
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  - Modifies registry class
  PID:4884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  PID:1700
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msdtcwmi.dll
  2⤵
  PID:4956
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  PID:2960
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  PID:1792
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ndisimplatcim.dll
  2⤵
  PID:1972
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetAdapterCim.dll
  2⤵
  PID:4408
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netdacim.dll
  2⤵
  PID:2436
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetEventPacketCapture.dll
  2⤵
  PID:2884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netnccim.dll
  2⤵
  PID:1436
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetPeerDistCim.dll
  2⤵
  PID:1340
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netswitchteamcim.dll
  2⤵
  PID:2276
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetTCPIP.dll
  2⤵
  PID:4700
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netttcim.dll
  2⤵
  PID:4684
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s nlmcim.dll
  2⤵
  PID:4080
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  PID:5024
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  PID:2516
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PrintManagementProvider.dll
  2⤵
  PID:3924
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s qoswmi.dll
  2⤵
  PID:3060
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  PID:4324
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  PID:4528
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s schedprov.dll
  2⤵
  PID:1928
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  PID:4572
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  PID:2432
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Modifies registry class
  PID:720
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  PID:1372
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  - Modifies registry class
  PID:3612
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vpnclientpsprovider.dll
  2⤵
  PID:1072
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  PID:4504
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  - Modifies registry class
  PID:4632
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  PID:2968
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  PID:4552
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Modifies registry class
  PID:1456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  PID:1100
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  - Modifies registry class
  PID:1596
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Modifies registry class
  PID:844
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WdacWmiProv.dll
  2⤵
  PID:1652
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wfascim.dll
  2⤵
  PID:4980
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  PID:4780
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  PID:4520
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  PID:3844
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  PID:1936
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:896
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  PID:4544
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  PID:3644
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  - Modifies registry class
  PID:5076
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  PID:4404
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  PID:4072
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  - Modifies registry class
  PID:2608
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  - Modifies registry class
  PID:2460
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  PID:768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  PID:4184
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Modifies registry class
  PID:2456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  - Modifies registry class
  PID:4600
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  - Modifies registry class
  PID:2832
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  - Modifies registry class
  PID:4024
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies registry class
  PID:5056
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  PID:2760
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  PID:2088
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:3760
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:3204
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:1476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:4012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aeinv.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmi.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:3940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
  2⤵
  - Drops file in System32 directory
  PID:1340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  PID:2096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  PID:3168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  PID:4564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  - Drops file in System32 directory
  PID:1580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  - Drops file in System32 directory
  PID:2968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\CIWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\classlog.mof
  2⤵
  PID:5020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  - Drops file in System32 directory
  PID:4728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  - Drops file in System32 directory
  PID:4508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ddp.mof
  2⤵
  - Drops file in System32 directory
  PID:3732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  PID:3080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  PID:4888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
  2⤵
  - Drops file in System32 directory
  PID:3552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
  2⤵
  - Drops file in System32 directory
  PID:3736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
  2⤵
  PID:1124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
  2⤵
  PID:1344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:1164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
  2⤵
  PID:1356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCore.mof
  2⤵
  PID:2088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
  2⤵
  PID:5048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dscproxy.mof
  2⤵
  - Drops file in System32 directory
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscTimer.mof
  2⤵
  - Drops file in System32 directory
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  PID:1972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
  2⤵
  PID:4232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
  2⤵
  - Drops file in System32 directory
  PID:3164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  PID:1096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  PID:1740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
  2⤵
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  PID:3844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  PID:4976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  - Drops file in System32 directory
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  - Drops file in System32 directory
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  PID:2176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  PID:4732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  - Drops file in System32 directory
  PID:1388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
  2⤵
  PID:572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipmiprv.mof
  2⤵
  - Drops file in System32 directory
  PID:3736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
  2⤵
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  PID:5052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  PID:1344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  PID:4068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  - Drops file in System32 directory
  PID:1356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
  2⤵
  PID:2088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
  2⤵
  PID:5048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  - Drops file in System32 directory
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  PID:4408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  PID:2904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  PID:916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  PID:2516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:4796
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
  2⤵
  PID:4988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
  2⤵
  PID:3408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:4980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
  2⤵
  PID:3292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:3744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace.mof
  2⤵
  - Drops file in System32 directory
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
  2⤵
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:2176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpeval.mof
  2⤵
  PID:4732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:1388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:5052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  - Drops file in System32 directory
  PID:4256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:4600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
  2⤵
  - Drops file in System32 directory
  PID:1332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  - Drops file in System32 directory
  PID:4400
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  - Drops file in System32 directory
  PID:5048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  - Drops file in System32 directory
  PID:4692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
  2⤵
  - Drops file in System32 directory
  PID:916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
  2⤵
  PID:3168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
  2⤵
  PID:4988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim.mof
  2⤵
  PID:1372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
  2⤵
  PID:412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim.mof
  2⤵
  - Drops file in System32 directory
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
  2⤵
  PID:2624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
  2⤵
  - Drops file in System32 directory
  PID:3732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
  2⤵
  PID:4900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
  2⤵
  - Drops file in System32 directory
  PID:3548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
  2⤵
  PID:424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim.mof
  2⤵
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:3752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:3588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:3760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim.mof
  2⤵
  PID:3404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  - Drops file in System32 directory
  PID:128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\npivwmi.mof
  2⤵
  PID:4400
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:2424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  - Drops file in System32 directory
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:4696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  PID:2516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:3996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:3040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
  2⤵
  - Drops file in System32 directory
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
  2⤵
  PID:4064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:4056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  PID:704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:4900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:3548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:2360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:1344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  PID:4068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  PID:784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:2524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
  2⤵
  PID:4952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
  2⤵
  PID:664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
  2⤵
  PID:4944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
  2⤵
  PID:3224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  PID:1152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  - Drops file in System32 directory
  PID:3028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refs.mof
  2⤵
  PID:1272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refsv1.mof
  2⤵
  - Drops file in System32 directory
  PID:2984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:1460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  PID:2976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  PID:1500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:4256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedProv.mof
  2⤵
  PID:4600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  - Drops file in System32 directory
  PID:5084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  - Drops file in System32 directory
  PID:3500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:4952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  - Drops file in System32 directory
  PID:1972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  - Drops file in System32 directory
  PID:4896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
  2⤵
  - Drops file in System32 directory
  PID:4080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
  2⤵
  - Drops file in System32 directory
  PID:952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  - Drops file in System32 directory
  PID:3224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  PID:1652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  PID:1152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:4056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi.mof
  2⤵
  - Drops file in System32 directory
  PID:412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
  2⤵
  PID:2396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
  2⤵
  PID:4040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
  2⤵
  PID:2144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:3376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  - Drops file in System32 directory
  PID:4780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:1376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  - Drops file in System32 directory
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:2360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:5056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  PID:840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
  2⤵
  PID:1432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:1424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
  2⤵
  PID:4408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
  2⤵
  PID:4016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
  2⤵
  - Drops file in System32 directory
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  - Drops file in System32 directory
  PID:4552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:2724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:4928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim.mof
  2⤵
  - Drops file in System32 directory
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
  2⤵
  PID:1872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:1700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
  2⤵
  - Drops file in System32 directory
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  PID:2028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:3552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  - Drops file in System32 directory
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  - Drops file in System32 directory
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:3588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:1540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:4600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:1476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  - Drops file in System32 directory
  PID:2080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:1828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:3592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  PID:4788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  PID:5100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  PID:488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:3996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:1152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:3612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:4508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:3080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:3548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:3156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:1600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgent.mof
  2⤵
  PID:3644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
  2⤵
  PID:4264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs.mof
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
  2⤵
  PID:4256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
  2⤵
  PID:784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr.mof
  2⤵
  PID:1476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:4700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
  2⤵
  PID:2096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl
  2⤵
  PID:1104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl
  2⤵
  PID:4608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl
  2⤵
  PID:4564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
  2⤵
  PID:488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
  2⤵
  PID:3996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
  2⤵
  PID:1152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl
  2⤵
  PID:2420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl
  2⤵
  PID:2280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl
  2⤵
  PID:8
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl
  2⤵
  PID:244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
  2⤵
  PID:2028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl
  2⤵
  PID:424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl
  2⤵
  PID:3968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl
  2⤵
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
  2⤵
  PID:1540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl
  2⤵
  PID:3204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl
  2⤵
  PID:1476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
  2⤵
  PID:1436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
  2⤵
  PID:484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl
  2⤵
  PID:2528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
  2⤵
  PID:4696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
  2⤵
  PID:1340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl
  2⤵
  PID:2516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl
  2⤵
  PID:1580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl
  2⤵
  PID:4988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl
  2⤵
  PID:3340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
  2⤵
  PID:4732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl
  2⤵
  PID:8
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
  2⤵
  PID:4212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl
  2⤵
  PID:2236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl
  2⤵
  PID:3552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl
  2⤵
  PID:1588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl
  2⤵
  PID:5104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl
  2⤵
  PID:4432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl
  2⤵
  PID:5084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl
  2⤵
  PID:128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl
  2⤵
  PID:2000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl
  2⤵
  PID:2424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl
  2⤵
  PID:1424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl
  2⤵
  PID:4684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl
  2⤵
  PID:1572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl
  2⤵
  PID:3164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl
  2⤵
  PID:1104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl
  2⤵
  PID:3168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
  2⤵
  PID:952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl
  2⤵
  PID:3996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl
  2⤵
  PID:3572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
  2⤵
  PID:3292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:3100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
  2⤵
  PID:4868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
  2⤵
  PID:3348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl
  2⤵
  PID:4888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl
  2⤵
  PID:4836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
  2⤵
  PID:1740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl
  2⤵
  PID:2236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl
  2⤵
  PID:3552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
  2⤵
  PID:3180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl
  2⤵
  PID:1332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl
  2⤵
  PID:2692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl
  2⤵
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl
  2⤵
  PID:2088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
  2⤵
  PID:1468
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
  2⤵
  PID:1124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
  2⤵
  PID:4796
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl
  2⤵
  PID:4016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
  2⤵
  PID:1104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl
  2⤵
  PID:4056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl
  2⤵
  PID:4732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl
  2⤵
  PID:4652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl
  2⤵
  PID:3080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\system.mfl
  2⤵
  PID:1460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
  2⤵
  PID:244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl
  2⤵
  PID:4184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
  2⤵
  PID:4004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl
  2⤵
  PID:3200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
  2⤵
  PID:1164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl
  2⤵
  PID:3832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl
  2⤵
  PID:4304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
  2⤵
  PID:1612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
  2⤵
  PID:788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl
  2⤵
  PID:840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl
  2⤵
  PID:1436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl
  2⤵
  PID:4896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl
  2⤵
  PID:3940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl
  2⤵
  PID:2432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
  2⤵
  PID:4632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
  2⤵
  PID:4828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
  2⤵
  PID:3360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
  2⤵
  PID:1652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
  2⤵
  PID:4728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
  2⤵
  PID:3140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
  2⤵
  PID:704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
  2⤵
  PID:1388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
  2⤵
  PID:4092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl
  2⤵
  PID:1180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl
  2⤵
  PID:2976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl
  2⤵
  PID:4032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl
  2⤵
  PID:1780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl
  2⤵
  PID:4268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl
  2⤵
  PID:3204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
  2⤵
  PID:1356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl
  2⤵
  PID:4600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:3092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:4252
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:4452
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:3196
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:960
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:2984
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:484
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:1536
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:1952
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
  2⤵
  PID:3324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:916
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
  2⤵
  PID:4944
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
  2⤵
  PID:764
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:5020
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3950 /f
  2⤵
  - Modifies registry key
  PID:2728
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r18451 /f
  2⤵
  - Modifies registry key
  PID:2060
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be11991} /f
  2⤵
  - Modifies registry key
  PID:1932
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee1569-25715-18458-24510} /f
  2⤵
  - Modifies registry key
  PID:3308
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe21942-28436-23387-11984} /f
  2⤵
  - Modifies registry key
  PID:1580
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r26432 /f
  2⤵
  - Modifies registry key
  PID:2284
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r29302 /f
  2⤵
  - Modifies registry key
  PID:4988
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3189 /f
  2⤵
  - Modifies registry key
  PID:1836
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd16385-17267-14029-7135} /f
  2⤵
  - Modifies registry key
  PID:3984
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE18107} /f
  2⤵
  - Modifies registry key
  PID:4928
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {12703-380-10108-24357} /f
  2⤵
  - Modifies registry key
  PID:1936
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {15327-22654-28783-3237} /f
  2⤵
  - Modifies registry key
  PID:4868
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 17300 /f
  2⤵
  - Modifies registry key
  PID:3100
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 5380 /f
  2⤵
  - Modifies registry key
  PID:1364
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 13104 /f
  2⤵
  - Modifies registry key
  PID:872
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 420-14865-2399-17887 /f
  2⤵
  - Modifies registry key
  PID:412
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 5265 /f
  2⤵
  - Modifies registry key
  PID:4404
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {20888-15905-28889-1576} /f
  2⤵
  - Modifies registry key
  PID:1700
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 14982-2687-13706-31988 /f
  2⤵
  - Modifies registry key
  PID:4652
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1848
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:1388
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:3376
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3816
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:3380
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:244
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:1004
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 16586 /f
  2⤵
  PID:3736
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 3066 /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 30594 /f
  2⤵
  - Modifies registry key
  PID:5052
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 23058 /f
  2⤵
  - Modifies registry key
  PID:1464
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac23963 /f
  2⤵
  - Modifies registry key
  PID:2688
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-16703 /f
  2⤵
  - Modifies registry key
  PID:2468
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac15306} /f
  2⤵
  - Modifies registry key
  PID:2360
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-19257-4459-19531-29304} /f
  2⤵
  - Modifies registry key
  PID:1588
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-15863-6678-8146-32385} /f
  2⤵
  - Modifies registry key
  PID:4648
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-6205 /f
  2⤵
  - Modifies registry key
  PID:2880
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 22880 /f
  2⤵
  - Modifies registry key
  PID:1540
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 7138 /f
  2⤵
  - Modifies registry key
  PID:2876
- C:\Windows\system32\reg.exe
  reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:3832
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:3404
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  PID:4304
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  PID:352
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc009.dat

Filesize
128KB

MD5
834149a3fc2d6bae5e8bf3c78b843f01

SHA1
7d7cee90612195049d9fd8884c213e72b4371c8c

SHA256
7accb384068aa6ec238267dd9a28bfbd434f39adaf45af5be8b2e3adc42d8b80

SHA512
4bcbda0e2d8c2ebe82c44d3fac688787f9fcbf93845c74f2164ce831ca751f7e629e187497fec142b6ca3f76d379deb2a12746bb45297c3baca3f4855d9b827b

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
686KB

MD5
2f07d393770f9c3176acaa802258cf3b

SHA1
89106ca40220547994916ac494e21967770755e8

SHA256
7038b7d9499942ec4b5b667d1872552622d77681b88243c88a309293f9a78a8c

SHA512
5fef602c782700b0e5e44fa1e4a14530062290d57dfa6e65ebe6e7523449ee16eab9fab367724fcc523277f468c756ae59c755b66393c9ea3d99e9e034d41307

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit