Malware Analysis Report

2024-09-22 13:20

Sample ID 240620-pvzs1axflf
Target cleaners.zip
SHA256 4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Tags
evasion themida trojan execution persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Threat Level: Known bad

The file cleaners.zip was found to be: Known bad.

Malicious Activity Summary

evasion themida trojan execution persistence privilege_escalation

Disables service(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Server Software Component: Terminal Services DLL

Stops running service(s)

Themida packer

Event Triggered Execution: Component Object Model Hijacking

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Runs net.exe

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies registry key

Suspicious use of WriteProcessMemory

Kills process with taskkill

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 12:39

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 13:09

Platform

win11-20240611-en

Max time kernel

1791s

Max time network

1502s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Battle.net.exe

Network

Country Destination Domain Proto
GB 95.101.143.201:443 tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
NL 23.62.61.194:443 r.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3620-0-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

memory/3620-1-0x00007FFF66A27000-0x00007FFF66A29000-memory.dmp

memory/3620-2-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

memory/3620-4-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

memory/3620-3-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

memory/3620-5-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

memory/3620-6-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 13:10

Platform

win11-20240508-en

Max time kernel

1760s

Max time network

1775s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 13:09

Platform

win11-20240508-en

Max time kernel

1734s

Max time network

1745s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1900-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 13:09

Platform

win11-20240508-en

Max time kernel

1680s

Max time network

1693s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"

Network

Country Destination Domain Proto
GB 184.25.204.17:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.25.204.17:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 184.25.204.17:443 tcp
GB 184.25.204.51:443 tcp
GB 184.25.204.51:443 tcp
GB 184.25.204.51:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.25.204.8:443 tcp
GB 184.25.204.8:443 tcp
GB 184.25.204.8:443 tcp
GB 184.25.204.8:443 tcp
GB 184.25.204.8:443 tcp
GB 184.25.204.50:443 tcp
GB 184.25.204.50:443 tcp
GB 184.25.204.50:443 tcp
GB 184.25.204.50:443 tcp
GB 184.25.204.50:443 tcp
GB 184.25.204.50:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.25.204.16:443 tcp
GB 184.25.204.16:443 tcp
GB 184.25.204.16:443 tcp
GB 184.25.204.16:443 tcp
GB 184.25.204.16:443 tcp
GB 184.25.204.16:443 tcp
GB 184.25.204.10:443 tcp
GB 184.25.204.10:443 tcp
GB 184.25.204.10:443 tcp
GB 184.25.204.49:443 tcp
GB 184.25.204.49:443 tcp
GB 184.25.204.49:443 tcp
GB 184.25.204.56:443 tcp
GB 184.25.204.56:443 tcp
GB 184.25.204.18:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 12:41

Platform

win11-20240611-en

Max time kernel

50s

Max time network

70s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

Signatures

Disables service(s)

evasion execution

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" C:\Windows\system32\regsvr32.exe N/A

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\AutoRecover\35EB6C02B117E434146AA8FBB46726E5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EDB67A550428BB2A8DBDA687D67BEDE0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4DA76711B649774E2516E995C467959F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\9792C1210EF405B66D63B9792E3E9FB3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3EDC3F5A95D3A0FDFE1F87C15DC9636A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D209D533EE8C97B5E2C46D035373F422.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\ADC76C6473F1C3722A0A86C2A9AED340.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\CF51101DC59379E7F60810810207A111.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F28042F231A5DCF3E9C8B9281BDDB127.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D80ABEF43AC4A2C62D2B29E15FD0B491.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3BB9AB7BAA63F54A0832A3003DBC2FD0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E43B6945ACF1515A895841AF9B9D052D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FB42973CC6B430B383BA62328763E302.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\450512ECD76473C20A379EF7244766DA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\7D6B7E546103D56B9114BA0B4F5FB99C.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\42C894EEACAD83A4E41154685841B3E1.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof C:\Windows\System32\wbem\mofcomp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CurVer\ = "WbemScripting.SWbemLocator.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{8bc3f05e-d86b-11d0-a075-00c04fb68820} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemRefresher C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7016F8FA-CCDA-11D2-B35C-00105A1F8177} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0438D53A-9A57-423C-9E54-9612C4576257}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CurVer\ = "JobObjectProv.JobObjectProv.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{443E7B79-DE31-11D2-B340-00104BCC4B4A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D97-D993-11D2-B339-00105A1F4AAF}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1188 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1188 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1188 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1188 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1188 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 768 wrote to memory of 2460 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 2460 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WdacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wfascim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_EncryptableVolume.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_Tpm.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WinMgmtR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRes.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRpl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMICOOKR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiDcPrv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipcima.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdskq.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfClass.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfInst.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPICMP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPIPRT.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPJOBJ.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPrvSD.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPSESS.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmitimep.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiutils.dll

C:\Windows\System32\wbem\WmiPrvSE.exe

wmiprvse /regserver

C:\Windows\System32\wbem\WinMgmt.exe

winmgmt /regserver

C:\Windows\system32\sc.exe

sc config winmgmt start= auto

C:\Windows\system32\net.exe

net start winmgmt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\aeinv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AuditRsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\authfwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\bcd.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimdmtf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimwin32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\CIWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\classlog.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cli.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cliegaliases.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ddp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsjob.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsroam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\drvinst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dscproxy.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscTimer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dsprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\eaimeapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdPHost.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdrespub.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdSSDP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWNet.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWSD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\filetrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\firewallapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FunDisc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hbaapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hnetcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\interop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipmiprv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipsecsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsidsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsihba.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiprf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsirem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\kerberos.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\krnlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\L2SecHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdio.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lsasrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mblctr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mmc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mountmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpeval.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpsdrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpssvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeeds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeedsbs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msiscsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstscax.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msv1_0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mswmdm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ndistrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netprofm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\networkitemfactory.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\newdev.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlasvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\npivwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nshipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntevt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-mesh.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PolicMan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polproc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprocl.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprou.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polstore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\powermeterprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\RacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpendp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpinit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpshell.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refsv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\regevent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rspndr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\samsrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scersop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\schannel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SchedProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scrcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sdbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\secrcw32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\services.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\setupapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smbwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smtpcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sppwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sstpsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\stortrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\subscrpt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\system.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tcpip.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsallow.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tscfgwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsmf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tspkg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umb.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpnpmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vss.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WBEMCons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wcncsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wdigest.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFAPIGP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFP.MOF

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\whqlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_printer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wininit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winlogon.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Winsat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wlan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WLanHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipcima.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdskq.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipicmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipiprt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipjobj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipsess.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmitimep.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmpnetwk.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdbusenum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdcomp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdmtp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdshext.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdsp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpd_ci.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAuto.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFx.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\xwizards.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cli.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\interop.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\msi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\sr.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\system.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vds.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\vss.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3950 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r18451 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be11991} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee1569-25715-18458-24510} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe21942-28436-23387-11984} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r26432 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r29302 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3189 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd16385-17267-14029-7135} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE18107} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {12703-380-10108-24357} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {15327-22654-28783-3237} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 17300 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 5380 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 13104 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 420-14865-2399-17887 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 5265 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {20888-15905-28889-1576} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 14982-2687-13706-31988 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 16586 /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 3066 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 30594 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 23058 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac23963 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-16703 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac15306} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-19257-4459-19531-29304} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-15863-6678-8146-32385} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-6205 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 22880 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 7138 /f

C:\Windows\system32\reg.exe

reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

Network

Country Destination Domain Proto
SE 192.229.221.95:80 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 20.189.173.15:443 tcp

Files

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 1cc4c3b9bb1657be77939f0b565e315d
SHA1 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25
SHA256 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a
SHA512 fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 a656a56b1fda4aa28383160ba6ebea3b
SHA1 bda09bb6f5f28f5470147113e93d46a02853dfe1
SHA256 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318
SHA512 fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

C:\Windows\System32\perfh009.dat

MD5 2f07d393770f9c3176acaa802258cf3b
SHA1 89106ca40220547994916ac494e21967770755e8
SHA256 7038b7d9499942ec4b5b667d1872552622d77681b88243c88a309293f9a78a8c
SHA512 5fef602c782700b0e5e44fa1e4a14530062290d57dfa6e65ebe6e7523449ee16eab9fab367724fcc523277f468c756ae59c755b66393c9ea3d99e9e034d41307

C:\Windows\System32\perfc009.dat

MD5 834149a3fc2d6bae5e8bf3c78b843f01
SHA1 7d7cee90612195049d9fd8884c213e72b4371c8c
SHA256 7accb384068aa6ec238267dd9a28bfbd434f39adaf45af5be8b2e3adc42d8b80
SHA512 4bcbda0e2d8c2ebe82c44d3fac688787f9fcbf93845c74f2164ce831ca751f7e629e187497fec142b6ca3f76d379deb2a12746bb45297c3baca3f4855d9b827b

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 12:41

Platform

win11-20240611-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 12:41

Platform

win11-20240611-en

Max time kernel

66s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe

"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
SE 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 12:39

Reported

2024-06-20 13:09

Platform

win11-20240508-en

Max time kernel

1738s

Max time network

1751s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\getmac.exe

getmac

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A