Analysis Overview
SHA256
4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
Threat Level: Known bad
The file cleaners.zip was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Server Software Component: Terminal Services DLL
Stops running service(s)
Themida packer
Event Triggered Execution: Component Object Model Hijacking
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Runs net.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Kills process with taskkill
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 12:39
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 13:09
Platform
win11-20240611-en
Max time kernel
1791s
Max time network
1502s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.201:443 | tcp | |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3620-0-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
memory/3620-1-0x00007FFF66A27000-0x00007FFF66A29000-memory.dmp
memory/3620-2-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
memory/3620-4-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
memory/3620-3-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
memory/3620-5-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
memory/3620-6-0x00007FF7C3260000-0x00007FF7C3C02000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 13:10
Platform
win11-20240508-en
Max time kernel
1760s
Max time network
1775s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.sys
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 13:09
Platform
win11-20240508-en
Max time kernel
1734s
Max time network
1745s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
C:\Users\Admin\AppData\Local\Temp\spoofers\gsoftgmx64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1900-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 13:09
Platform
win11-20240508-en
Max time kernel
1680s
Max time network
1693s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 184.25.204.17:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.25.204.17:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 184.25.204.17:443 | tcp | |
| GB | 184.25.204.51:443 | tcp | |
| GB | 184.25.204.51:443 | tcp | |
| GB | 184.25.204.51:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.25.204.8:443 | tcp | |
| GB | 184.25.204.8:443 | tcp | |
| GB | 184.25.204.8:443 | tcp | |
| GB | 184.25.204.8:443 | tcp | |
| GB | 184.25.204.8:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| GB | 184.25.204.50:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.16:443 | tcp | |
| GB | 184.25.204.10:443 | tcp | |
| GB | 184.25.204.10:443 | tcp | |
| GB | 184.25.204.10:443 | tcp | |
| GB | 184.25.204.49:443 | tcp | |
| GB | 184.25.204.49:443 | tcp | |
| GB | 184.25.204.49:443 | tcp | |
| GB | 184.25.204.56:443 | tcp | |
| GB | 184.25.204.56:443 | tcp | |
| GB | 184.25.204.18:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 12:41
Platform
win11-20240611-en
Max time kernel
50s
Max time network
70s
Command Line
Signatures
Disables service(s)
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\AutoRecover\35EB6C02B117E434146AA8FBB46726E5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EDB67A550428BB2A8DBDA687D67BEDE0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4DA76711B649774E2516E995C467959F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\95045902E6CF7783C629F03A7958F5DC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\9792C1210EF405B66D63B9792E3E9FB3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\77AF494807BB41A0B4B67AEEC51F85C6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D38FFA40EC29A055EB37EBD604093C62.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3A01647A9113490045B9D4AE10390941.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\OBJECTS.DATA | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B16B0DDE7AC8EE97D6CF843A06985EFA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3EDC3F5A95D3A0FDFE1F87C15DC9636A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D209D533EE8C97B5E2C46D035373F422.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\ADC76C6473F1C3722A0A86C2A9AED340.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\CF51101DC59379E7F60810810207A111.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F28042F231A5DCF3E9C8B9281BDDB127.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D80ABEF43AC4A2C62D2B29E15FD0B491.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FFA7CB08C2CC2CB2D3973F6214D0CCAF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3BB9AB7BAA63F54A0832A3003DBC2FD0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E43B6945ACF1515A895841AF9B9D052D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DB3D8DB0C02C23250753E40A2A69CBE6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FB42973CC6B430B383BA62328763E302.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\21BD8E9B6A3575C7E6CFD05471F4DE86.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4D63DBC2E2F583689FBD5757DE239E05.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\450512ECD76473C20A379EF7244766DA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\7D6B7E546103D56B9114BA0B4F5FB99C.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F0E76792C542307D2F6A5D4DD4C90DB8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\42C894EEACAD83A4E41154685841B3E1.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\80792982BF972E1BFD199DE5636C38C5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CurVer\ = "WbemScripting.SWbemLocator.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{8bc3f05e-d86b-11d0-a075-00c04fb68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemRefresher | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7016F8FA-CCDA-11D2-B35C-00105A1F8177} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0438D53A-9A57-423C-9E54-9612C4576257}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CurVer\ = "JobObjectProv.JobObjectProv.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemDateTime.1\ = "WBEM Scripting DateTime 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{443E7B79-DE31-11D2-B340-00104BCC4B4A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D97-D993-11D2-B339-00105A1F4AAF}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACA675-E8FC-11D0-A07C-00C04FB68820}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
C:\Windows\system32\sc.exe
sc config winmgmt start= auto
C:\Windows\system32\net.exe
net start winmgmt
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sstpsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\stortrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\subscrpt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\system.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tcpip.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsallow.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsmf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tspkg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umb.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vss.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WBEMCons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wcncsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wdigest.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFP.MOF
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\whqlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_printer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wininit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winlogon.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Winsat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wlan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WLanHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipcima.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdskq.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipicmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipiprt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipjobj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipsess.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmitimep.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdcomp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdmtp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdshext.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdsp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpd_ci.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAuto.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFx.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\xwizards.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\system.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3950 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r18451 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be11991} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee1569-25715-18458-24510} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe21942-28436-23387-11984} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r26432 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r29302 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3189 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd16385-17267-14029-7135} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE18107} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {12703-380-10108-24357} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {15327-22654-28783-3237} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 17300 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 5380 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 13104 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 420-14865-2399-17887 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 5265 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {20888-15905-28889-1576} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 14982-2687-13706-31988 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 16586 /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 3066 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 30594 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 23058 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac23963 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-16703 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac15306} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-19257-4459-19531-29304} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-15863-6678-8146-32385} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-6205 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 22880 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 7138 /f
C:\Windows\system32\reg.exe
reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
Network
| Country | Destination | Domain | Proto |
| SE | 192.229.221.95:80 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 20.189.173.15:443 | tcp |
Files
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | 1cc4c3b9bb1657be77939f0b565e315d |
| SHA1 | 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25 |
| SHA256 | 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a |
| SHA512 | fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | a656a56b1fda4aa28383160ba6ebea3b |
| SHA1 | bda09bb6f5f28f5470147113e93d46a02853dfe1 |
| SHA256 | 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318 |
| SHA512 | fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae |
C:\Windows\System32\perfh009.dat
| MD5 | 2f07d393770f9c3176acaa802258cf3b |
| SHA1 | 89106ca40220547994916ac494e21967770755e8 |
| SHA256 | 7038b7d9499942ec4b5b667d1872552622d77681b88243c88a309293f9a78a8c |
| SHA512 | 5fef602c782700b0e5e44fa1e4a14530062290d57dfa6e65ebe6e7523449ee16eab9fab367724fcc523277f468c756ae59c755b66393c9ea3d99e9e034d41307 |
C:\Windows\System32\perfc009.dat
| MD5 | 834149a3fc2d6bae5e8bf3c78b843f01 |
| SHA1 | 7d7cee90612195049d9fd8884c213e72b4371c8c |
| SHA256 | 7accb384068aa6ec238267dd9a28bfbd434f39adaf45af5be8b2e3adc42d8b80 |
| SHA512 | 4bcbda0e2d8c2ebe82c44d3fac688787f9fcbf93845c74f2164ce831ca751f7e629e187497fec142b6ca3f76d379deb2a12746bb45297c3baca3f4855d9b827b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 12:41
Platform
win11-20240611-en
Max time kernel
0s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx32.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 12:41
Platform
win11-20240611-en
Max time kernel
66s
Max time network
72s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe
"C:\Users\Admin\AppData\Local\Temp\spoofers\CupFixerx64.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.104:443 | tcp | |
| SE | 192.229.221.95:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 12:39
Reported
2024-06-20 13:09
Platform
win11-20240508-en
Max time kernel
1738s
Max time network
1751s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\getmac.exe
getmac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |