Analysis Overview
SHA256
4a5b27ec785d877333ae182ea185179b3979295d6a417e62bf49ffb921ddf113
Threat Level: Known bad
The file FN-TOOLZ-main.zip was found to be: Known bad.
Malicious Activity Summary
Deletes NTFS Change Journal
Nirsoft
Disables service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Deletes shadow copies
Clears Windows event logs
Stops running service(s)
Server Software Component: Terminal Services DLL
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Reads user/profile data of web browsers
Themida packer
Checks BIOS information in registry
Drops startup file
Enumerates connected drives
Drops desktop.ini file(s)
Maps connected drives based on registry
Checks whether UAC is enabled
Power Settings
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Modifies registry key
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Runs ping.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Gathers network information
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies Internet Explorer settings
Uses Volume Shadow Copy WMI provider
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 20:50
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
219s
Max time network
276s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\netl1c63x64.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_usbfn.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\HidTelephonyDriver.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_fscopyprotection.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_processor.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\ESENT\0410\esentprf.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmlucnt.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmpin.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\netwbw02.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\cht4sx64.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\UGTHRSVC\gthrctr.h | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wpdmtphw.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\sdstor.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\SERVIC~2.0\0C0A\_ServiceModelOperationPerfCounters_D.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\v_mscdsc.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmtron.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mtconfig.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\ts_generic.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\vhdmp.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET CLR Networking 4.0.0.0\0411\_Networkingperfcounters_d.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmmts.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\netrtwlane.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\TermService\040C\tslabels.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\netbxnda.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\SERVIC~3.0\040C\_ServiceModelServicePerfCounters_D.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\arcsas.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_barcodescanner.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wsynth3dvsc.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\iaLPSS2i_I2C_GLK.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wdmvsc.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\whyperkbd.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\amdgpio2.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\b57nd60a.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\msdri.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmagm64.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\UGatherer\0C0A\gsrvctr.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\MSDTC\040C\msdtcprf.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\netserv.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wsdscdrv.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmar1.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\megasas.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wmiacpi.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_infrared.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmomrn3.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET CLR Networking 4.0.0.0\0407\_Networkingperfcounters_d.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\hidi2c.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\ndisvirtualbus.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\wvmic_kvpexchange.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\rdlsbuscbs.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_tapedrive.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\ehstortcgdrv.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmcxhv6.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\microsoft_bluetooth_hfp_ag.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mwlu97w8x64.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET Data Provider for Oracle\040C\_DataOracleClientPerfCounters_shared12_neutral_d.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_fsundelete.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\WINDOW~1.0\0C0A\PerfCounters_D.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_battery.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmarn.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\TermService\0411\tslabels.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\c_hidclass.inf | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1396 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe | C:\Windows\system32\cmd.exe |
| PID 1396 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3BC1.tmp\3BC2.tmp\3BD2.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3BC1.tmp\3BC2.tmp\3BD2.bat
| MD5 | b167ed32d02958ecb5da9970588d75bd |
| SHA1 | 9e228b33c211ee61643e8552274d02f5ed0364b8 |
| SHA256 | bfe45fae74d911a3b6be21e044f061526362206af32d608aad05d1dc0002098f |
| SHA512 | 8bf1ea0765ccc924e95f57e69e2502efa75d86242338091ca939ac8830db6b991a9b4901d7c1a83c3fae6eaaef27a35f462abb32d2a5913203917834d5be00a3 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
223s
Max time network
275s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe | C:\Windows\system32\cmd.exe |
| PID 4024 wrote to memory of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3662.tmp\3663.tmp\3664.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3662.tmp\3663.tmp\3664.bat
| MD5 | 981d727788f3a19185770ef07422f665 |
| SHA1 | c385d4b29e675d66e5e5321df58c2c2f8aff011c |
| SHA256 | da0eed270a5528d0d85611d1f01952aee01bc5637481509e7e61cac17fe2edde |
| SHA512 | 7a49aa1647f2f6b4376ea7161d4de955fef8672bc5ae27bbdd759d0434e4f9301e46f22e8d3f02e920818999cf22cdbe05f2c9303f24c4f0ab2ca50d9dd4c6ad |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240226-en
Max time kernel
228s
Max time network
310s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luiapi.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
292s
Max time network
305s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Battle.net.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/4268-0-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
memory/4268-1-0x00007FFB6EC10000-0x00007FFB6EC12000-memory.dmp
memory/4268-2-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
memory/4268-3-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
memory/4268-4-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
memory/4268-5-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
memory/4268-6-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
234s
Max time network
276s
Command Line
Signatures
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /release
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /renew
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c .\reset_adapters.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
198s
Max time network
206s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1828 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe | C:\Windows\system32\cmd.exe |
| PID 1828 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe | C:\Windows\system32\cmd.exe |
| PID 3036 wrote to memory of 396 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3036 wrote to memory of 396 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3036 wrote to memory of 5052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3036 wrote to memory of 5052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3036 wrote to memory of 4532 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3036 wrote to memory of 4532 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im EscapeFromTarkov.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EscapeFromTarkov_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BsgLauncher.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.225:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat
| MD5 | eb8db91c18a62f691408bb0b176d21f6 |
| SHA1 | 975b3e870d68d404d6f4caefb83e0e94edff15f8 |
| SHA256 | 0f0dddce6005eca40546a881aff76cddbc6b609845c1a9266f03fbdb9245cd74 |
| SHA512 | e3fc3edbc26a826fa136f5da9be1230ce2c4d6f24f7b0d4345abfdacde1f890b7592bc8dcc03758b400abed6d565528f4edecd712a205d2ad5849120275b9caf |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
205s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe | C:\Windows\system32\cmd.exe |
| PID 1572 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3681.tmp\3682.tmp\3693.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 224.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3681.tmp\3682.tmp\3693.bat
| MD5 | 981d727788f3a19185770ef07422f665 |
| SHA1 | c385d4b29e675d66e5e5321df58c2c2f8aff011c |
| SHA256 | da0eed270a5528d0d85611d1f01952aee01bc5637481509e7e61cac17fe2edde |
| SHA512 | 7a49aa1647f2f6b4376ea7161d4de955fef8672bc5ae27bbdd759d0434e4f9301e46f22e8d3f02e920818999cf22cdbe05f2c9303f24c4f0ab2ca50d9dd4c6ad |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
227s
Max time network
243s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwbd64.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwbd64.exe"
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
243s
Max time network
259s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D3E131-C587-49B4-8BAE-F0EE269EEB31} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFF90F7-F175-4277-BF0A-408906B22B75} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9D72-D65D5A751C11} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46A6E50-0994-4639-AADA-296488B58AC1} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{517F87FE-597A-4672-8555-6DAF1C8C788D}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D10B48B-C531-4731-9BDE-B03C28E9C61C}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35481B58-F46C-4254-B52C-FDC3001484C3} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D10B48B-C531-4731-9BDE-B03C28E9C61C}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\ = "PSFactoryBuffer" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35481B58-F46C-4254-B52C-FDC3001484C3}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{959C5A99-177C-478E-8C3B-77E07E9BF3AA}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5A9FEE-1C29-4AAE-A6B7-FEB0E4C96D5E}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Tournament_Fixer\\AdditionalRuntimes\\lsmproxy.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9052EEA-734F-41D8-978B-E32CAD12381A}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFF90F7-F175-4277-BF0A-408906B22B75}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02E6EC4C-96E4-42E8-B533-336916A0087D}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9052EEA-734F-41D8-978B-E32CAD12381A}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46A6E50-0994-4639-AADA-296488B58AC1}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{959C5A99-177C-478E-8C3B-77E07E9BF3AA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5A9FEE-1C29-4AAE-A6B7-FEB0E4C96D5E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{517F87FE-597A-4672-8555-6DAF1C8C788D}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsmproxy.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
278s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MCCSPal.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
234s
Max time network
259s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MaintenanceUI.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2312,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
223s
Max time network
206s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\.DEFAULT\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\204ecad0-2ffb-4b38-b78e-9abdba56e0ca" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\6b64878b-0bcf-41ea-9d66-e883da2aae74" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.eos" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat
| MD5 | 406afe5c97eebaea133bdc5d9daff887 |
| SHA1 | aaf7ef4e090c23a0ea516e4a9a78491a55001d24 |
| SHA256 | 96aa8694fa31eb10195e148c3eb9dc15fb6247a7174cfc0b3794c805fbd5de14 |
| SHA512 | 7d7a8beb15493fc9443bfb08bb9fd25715f51deb5b3bf2e0ea22b2ae354db1959836cafcb888b59773a3a720593fca606f06176e8dcbbf0c79182a37ed30c08d |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsm.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
299s
Max time network
304s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lstelemetry.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
206s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luainstall.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
278s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mciwave.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
219s
Max time network
209s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mfc70.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mfc70.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:52
Platform
win10v2004-20240508-en
Max time kernel
106s
Max time network
114s
Command Line
Signatures
Disables service(s)
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639086792631678" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemObjectPath.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\shell\open | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\FNCLEAN.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4124 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4436 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3060 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4320 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4860 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc096e46f8,0x7ffc096e4708,0x7ffc096e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.0.1687205155\620404844" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c0f628-a591-416b-8be9-4fa4b46f3744} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1868 1f5aa11a558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.1.1259090993\135693298" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d2d4b49-de10-47a6-bb36-6f1e2e427b96} 336 "\\.\pipe\gecko-crash-server-pipe.336" 2392 1f595e89f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.2.2095034817\409581324" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 2936 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e782b676-812a-4735-a051-131dadd4cb3b} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3064 1f5acf07758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.3.262397246\1532890146" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8414e907-be05-4f04-b54e-f39338aeb153} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3984 1f5aede9c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.4.1751320324\1555874683" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4856 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5b13a4-1444-4367-b10b-9b95c2b8b869} 336 "\\.\pipe\gecko-crash-server-pipe.336" 4884 1f5b0f3d158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.5.1106532333\1914084109" -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5080 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e37147d-32ac-4bc8-8fab-17a40f14525c} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5092 1f5b0f3d758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.6.287551704\1466741780" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292e35af-2b16-4b5b-8b06-616a4a6b35c8} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5184 1f5b0f3e958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.7.606134376\416284088" -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91bbb348-9a7b-4106-ba10-917bf300a59e} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5656 1f5b219bf58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4136 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3488 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:55185 | tcp | |
| N/A | 127.0.0.1:55192 | tcp | |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f4e945de22b3b5c6d415a470593ac2af |
| SHA1 | 955c2f7bcefb33994837117215ade276f2ec4a65 |
| SHA256 | 922b6a263ab65f3b339de73a00c47725f5099cce7d809eb2dd15063a0acd6d26 |
| SHA512 | 7c43fe379170403a609a40d870f245138c336d7ecf1173ddab2e50afbe6e1841d132aadf424478676ebfff6ae2c60c60f1a781bcd086ab7ce47f14935dfd99ea |
\??\pipe\crashpad_4324_XVSCWARHGKCFZHWV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 40cc170c129a7436f79f5c3961617e28 |
| SHA1 | 82b7e2f9fe51bb8cf9f4b0b2a80110907f8f14bb |
| SHA256 | 002f7aa2fed71d114ec37146a8ef1463c0f4ca8030e9ff809c237bac6f23ce6b |
| SHA512 | d43ed249b1f453a4e4204fab394685f789c5d30e9fecf6ca412511a3a9590d14fb9c87783bfe5c489ee1f09dbece5b4abf674829486f329d837682307bbb2ffc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f5383921bcb74b35ec440b8a5f28f73b |
| SHA1 | 52e15b5611ae5da9a9df7e77d51cddaded832da7 |
| SHA256 | 71a4839595084b59b3f50d1e10867002b07a0c1710649f1a3ef3be8c2dfdef30 |
| SHA512 | 34df31815068188f2eb23b9d946371c7ac6cd964df4948987dbf0f5500b13e6c8d6cbb60e0de8502fcdd5aa294c65dbeb15b0022edd60f65c55ee5f37cff6e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9961fe9d150a42743d1c9adc5718bb3a |
| SHA1 | fadf8307c34dd35e953ca91140225507469c3cae |
| SHA256 | 6239d54d7e2c7cf8142bdc28261be4ba200ec6a77d7f9deb128171c49992f789 |
| SHA512 | ce9317f086b93afbe8276a48a664d59d20f3f884e41fce7d9a4942f1ff1a702df4d4406fd2b0cbd89b12569e9f4f55cb72e011e4d8ab0ee5ad68c71a7f639f96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 701ccd38871e34186c276a74fe51fddb |
| SHA1 | 9a4bee485ce065c083ed77ec16daca10514d8e49 |
| SHA256 | 3fede500908ae10b697ad1feacc63d1b1b0ebc2c5a5850ac1b6a1387d24ef724 |
| SHA512 | a6691cc8652b3b05d6e3b19c53065c71e09c5d5bf3dfa7b0d3062a7bd46002af48128e1c7454a6a2ac6950fd03bcaf5f8dcd80a76fbedefbc6703e62ea1cf55e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1596054babe0521d918641b8ca3a81cb |
| SHA1 | 8e5544b20b6750fbdb0ec0d16ee6e67162862b0b |
| SHA256 | 1a30aeb01e62e8c9fe1c4481cd22b095d991a2425a99a5324883e83ceead0634 |
| SHA512 | e35d7f95942ba5ffe9c32eb3d4490007f274d1da97cc63b4318afbb4ab1f7ddf3cdc9dc789e6675e90a7514ba37f5122a9c219da7248a19951b1c77b43d8dea4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3a2eb026f22d6173f91fe6010120cbd3 |
| SHA1 | 6a381796dcc3654c88abbecc8cc70620725765b0 |
| SHA256 | 701b06fe1cbe7c9f3ddfb337ffebe43e8442c75463679530c3f4f48b104dcb14 |
| SHA512 | 1628a9560da46796f02cff4ba5d1f9337e6107d0ec6c751ee1eb200f18c5fd122bbfdd044c5c2a5658018192410cd9b735c987df031d3dd2299b6d44fe4d1ea4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f2a240e3bdf54df12c71264a89678841 |
| SHA1 | f40a03b1d482f89cec44eac7ab3f9696c0a3b416 |
| SHA256 | 22bbcd0f7814a27a088560aa79950b0f6eb3fb4225bab3897851ddbb3c28e835 |
| SHA512 | 376b48457c3eaca5c7737fe52abfdb6b347aaf375e3b3c2bcd6bc50261374b01eea94c6a3c582aa32d6e0cbf656f8f332eb229c1ae8b8fb3dd06db2b1faf53a6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 5e2177b2a19e397e68209180b1f004cd |
| SHA1 | ce4f503ee40c644375557a402e17f567aaa4e499 |
| SHA256 | b7b966e7ba11bc07c133e20b36154a05b2af3f929421a7c634ef3e5582d271f0 |
| SHA512 | 98e1d2e38668f5890e0c9dec0587f00235985bfc527c094100c7882df3deab5ed2512807a5354739e4ad5dcb577cd2b6c64cc8d38d33972c9c7effb24f8ee92d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 40a3ea2c49066f1a424188e4749c6e3c |
| SHA1 | f7bf39c4a0c588d7ff6eff880ee75c350216d2d2 |
| SHA256 | afc3d9613974931cffc68fb78e373b0bf78bef623fceae7f723f65242a55b114 |
| SHA512 | cf03f1ed7b88439e9cce630132e13e91a54b5963b7911ed9c5cdda011ca5572b29c2e1a148c86a827a6907350245d777bcb351cb136438bd1efceb96a2e044b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
| MD5 | a8d6644cc77973226e22275d5073a055 |
| SHA1 | c736f5e27a32466c7eab289b95713d6773478210 |
| SHA256 | 2d03c4a8857864e22691433ae52932108633a148e8077b2907ca7c6be798719f |
| SHA512 | cb7cc4cd33b4fc0f5d85fa7ce2b7328843b8e0e3625f9cad7b58b9693006cdc250f9ee7b2628fe30bf85aa700a77aaf3d87ef0eec7a7b4bef239220b62fae196 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
| MD5 | b587d07b8f4b8f12bc39eb64cf33442e |
| SHA1 | b09345686421b902d0a9766a69d9cb08e7618567 |
| SHA256 | 8aefa1f2682f39977f01abf0bbd9c78658f4cb26fe3bf344aab259ce9b0c385c |
| SHA512 | 6e90fa791179ce600cd3aaddac8e34ed7f2bbea3947ea0e158f408325a76010607b122ece2ac648707ac1e455d11c73facc0e8befc0ff5b96f4c509c19dcd6d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | bbe596fd36fcf6118ac87d27f27a5c36 |
| SHA1 | 480fb6fc6621fa6a817638d18a455926e42e41d5 |
| SHA256 | f3a51ae895e2922c099e3c0432c1f995274d11a11b0d9ae9ac69b49ee775fefb |
| SHA512 | d3fde3702e780fa89d117d5ddf697b663c46e3ee4cc0dc15ac836dd1ca1a588515a519651391069899d3aa922af0b3b7a65af9126c3dcad57e4bbd6864dcfa9d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
| MD5 | 59ef481b63687e717a451ca45e3df20b |
| SHA1 | 97b7adf5931d5240fe6889ef9e69d79bde8d19e1 |
| SHA256 | b653e7ccb670902b84f9d4061ace584c6cd2efce09eab8327ab22361f37c6bd8 |
| SHA512 | 5db2985884334c9e29ed6d7fcd5190380b92c47323a54f60832dd68d470c6911069ca916f4cf3d43f2f86b9244d9bfb9cf556ab77e17b83b4db95369c22e9b96 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
| MD5 | d9a49a7d6d5ca840cf0f0e937007e278 |
| SHA1 | 90197e483cc1bf8970cb6012997b1968f43d8e78 |
| SHA256 | 183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876 |
| SHA512 | 142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 757f9692a70d6d6f226ba652bbcffe53 |
| SHA1 | 771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b |
| SHA256 | d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad |
| SHA512 | 79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | bc6142469cd7dadf107be9ad87ea4753 |
| SHA1 | 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c |
| SHA256 | b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557 |
| SHA512 | 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a9b28a1749eb3dd04b41460ec08b8945 |
| SHA1 | 4c813102145a8ecb0abc509d2714c398d4253ac9 |
| SHA256 | b91c269c374b689b2992a4b18013f93cffb9b0f6ee89ae992ce8c56f4441fd94 |
| SHA512 | 5f56e4f27fa463ef2288efcdabcc6eb4fa405adec2203ae7f0a1dcf64569b05551e917170ddd323967d1ea6ab9e04d17cacfe3fcf827123376de640dd9873f7d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
| MD5 | ae9ae9c7af7e6967000575e8f56b7475 |
| SHA1 | 78b6522808aae600e60d588b58351a60bb6cfbb0 |
| SHA256 | 9d278560a112bfbf55b692e0129ff9dbd8622948789f7d24034d367badc00a3f |
| SHA512 | a4775ff0b1fa57aed77daab16d95085d265ff7214a331908787d0bc675ff52aa3dc1a62cf01a040fcb3734d7e3da3d03fe7977c6fb8f2072188b8d4ee064ca0a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\926e442f-7be3-4066-9b81-2a14d7ceb28d.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13363908709322015
| MD5 | a57ceb9d40ece8a34837dc732f7ca043 |
| SHA1 | 8a7e51dac2013a2d23ccd6531d69d7c38a469712 |
| SHA256 | 05c1c66f06fe4e01ef00cff1efe1a1afe916396977098db1b3bee6479cc9cde3 |
| SHA512 | b7a8a73acc184e5597263f0f036559d5857c41248c9accd58459b22deb990bb0064bad879920cbd49c201f3590b92e590f17a898a0e29058a49de75e689de8b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
| MD5 | c61f7f416c01a3f2c08b888fe14e5be2 |
| SHA1 | 325ace9628dfba74eb85b0330572610163ca9424 |
| SHA256 | d496fe87ab6fd3b06dd4577c2b7349f0b8f6086fbbf7b3b98c1cdd7418fae14e |
| SHA512 | 7f9ea85c49fbda4d67c39e1ccb2d218ba754abdb9197bbc1662e60107ae00ac8d7f2ba4cb140fba5b48c775f78257ab02850a7ef4de9b98851d024a5a373c0d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
| MD5 | d3417877cb792c1f0853c33a72026287 |
| SHA1 | 8ba5c9fa11a66a88ba1d1a25b58c7eea34d1dcc1 |
| SHA256 | 71ac702f6f3506f3d21824826dbcdf4063527d789213101bfd72d67928f90bf5 |
| SHA512 | 3fe3244eba270721fe9fb033944cc30fdb3fece0ed8d6302abdf3ff56e1f0b3e8eba2c7c1ce66b99ce34efee87128d45035c50834b27ad954e1b07927594efe0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | c31c4325b6b9099d3fa9c007ad3a16e2 |
| SHA1 | 686046aae26ce5c5b75e807e48e11a8de74a73dc |
| SHA256 | 980856d398501a500254c358b46c06061d6f66f4f5e77ac049625d24500380b1 |
| SHA512 | d4c6eb6c29560e60052b1c24ece9a282b51a3374eca307ee3d6a824104b12fbc2f10d14f84a14830e13ed52252616320f2d10075da5d323a30a883ad4863f9fc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 7d677a6317d3c6f1790fab35dfd87b46 |
| SHA1 | 67ebe03f53d20c77006621f7e7dad14e20097a5e |
| SHA256 | 3127fa97a41d333932e477820fbd50172040c2f92afe50eea62c5b64746718bd |
| SHA512 | 87e85f04397865ab00752b04348042eb8b07af25a59ef6e1c12225178aa04e8328787b619b3a2ec68f5ca7064ebf269a777d21ebce8a96f84b50ccc2225238e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | c6e39ae33b027fddc818d4e39cf3599c |
| SHA1 | f8b339161866d44e04e003a6f27a9710fd54d64b |
| SHA256 | bcbb7d4eec4f143b964b02d4e833554b381cd2d92976a11bc6f3af70002ec4eb |
| SHA512 | db3ba43a999b220a746337b1b32cf57ae4ca97731d955be1778099c50b710cbf36a890d998b1432606f346aae5cd83f4765b76055b7175fc712b7ccdffccea3c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 039a2d884405ca898624a9d3bdae21b9 |
| SHA1 | 3af3299fdf869f37af00b7019e184054d71df7bd |
| SHA256 | 573670a1d8dc4e0b429da138fe1bc77a8d07a32b8c009caa67e3a124d7587f48 |
| SHA512 | f0a3a06b82645335c4a5ee548e82491fa56b2846298c4e068a456e4efe668152c6e2bd558956c27ada1b53ce37f8df92608d8495b72e0816682b4e41bd880995 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
| MD5 | 2ecf1b5fd5d8c3d6d8d8b82715986f30 |
| SHA1 | d069acb07aa0c970952c8304b1a39b59ef08cb55 |
| SHA256 | 7a5bb7874afb57037613fa89ae436ff8fa260303c0e4da85c521dd4bc21d3106 |
| SHA512 | 0588429a1ccaf26709c9e1f6633b8a0bd43e0e637e90b3bdcd945ea058bdc0ad50ea74f0576769c98c5a625b2517b86ee454c147befc9facb8f835ddc4fa7d71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | b3372c79ebf99bd0b6c4ab278436e748 |
| SHA1 | c783873346fd4d6034de37891135528d75011b8e |
| SHA256 | 1a8f1ef39bfa0d71652896e2341bdaced7120de9cda5f84ee5c3e7093e413349 |
| SHA512 | a988f6d74b243d2cb04e49303a5abd1004435945c2842a419a01dd9a368be242b2d56a5b8694de3a78091ea6ced03a645301803448a63b39796b34cf5dd0b90f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | af4ec2ba8e9b3b34f205f985f71061be |
| SHA1 | 4adac5d60b09b420a33cbb99d99101bdd994dc01 |
| SHA256 | 714b852082dd51df23d05565e8cc4155c146a77bb9d090ce6032f5446ed8837b |
| SHA512 | eec0bb40265c89e3ee4bef128bbf48df64a408c551e8389463a24fbe8433d470ea863cd8f92820bb7a130b6407f7ea331db0cadd9f7844562365442fb8f2c069 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | ee40a5604745eaeb8fdb6b4bc78dfb1b |
| SHA1 | d0bc3faadf2d23e0fc331527a715c6e2401b342e |
| SHA256 | 398f309dc7b4e1a45620bb860b591c36e8c7739ec85824160b5fcc666cbd19e0 |
| SHA512 | e7daac3e6c8f689ff9794febc97490606590d060cad4d1a317864ac745c559f0830365339a5f3fe23d683e69db089401602bed965cc827ee8c693f4c9d681728 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 009b9a2ee7afbf6dd0b9617fc8f8ecba |
| SHA1 | c97ed0652e731fc412e3b7bdfca2994b7cc206a7 |
| SHA256 | de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915 |
| SHA512 | 6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 82fb1275e54d596dd99df70a32e3b171 |
| SHA1 | 878b1ed2c0ee67509374c6267bcc306878f39330 |
| SHA256 | a6bf4abdb04ea17d91502184b3a984fab7c2b82a645003a08a197fe942ec8a14 |
| SHA512 | 76ac36f45bad045f4c81d8257ad4c4e7b981049a342d3967bd9310947bb722382abc601359b152347e98e9fc3111e9592eef01105ec901b47bf22b0937919ab4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
| MD5 | 8c6133c716b252cf75aac1752fd81da7 |
| SHA1 | 9fdf40e6ce52bf0e6fafb5a2c5b9611b9cf148b8 |
| SHA256 | c8368b43b19d3e4b9b0f37322c5b475069bbd9699360333f798919e521b765ca |
| SHA512 | fca9ad09bc1cc893cb28fc7e7d55b7b8d3bb852e3b1495081e1f173e272e9c36b9d5f1d9a24639d7f977938c37c8844ba0ad1d271506ffbc1284cf9f3833f136 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
| MD5 | 9143e5b13e796313d2eee3908a31e272 |
| SHA1 | 691b30ba285f07be5c788a1d0d0ebc58f8adc32c |
| SHA256 | d3e2b688603cf02c5468b1f277bdae94acdfc5e593cd89c910d609f8a7e52382 |
| SHA512 | ac61cd480ac0ca60d4bee8717c4df9d79c3d8a6ae7d2ece530e325b677ed273cba62a5c17d2a7097b68526295ed0d0a070590527d32abc16908dc98aa0bb5620 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
| MD5 | a4deb5c60975b6e947658e9b1cf4ec22 |
| SHA1 | ea6e0db371bb3249da7c31c6f71add7124844ae6 |
| SHA256 | 9d4275bef0ed4be0fa1ec6eb14d4fbec133d49ed882ce51ec9e7bc84091bca6f |
| SHA512 | b455c62fe90033302be750aa2b26b6edfec8a1792e294dd747019ea01778cdfcec75c6139bd4ee099018a0b7e6fcb78969de171e0feb935a947ba8f0f9b98a9e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
| MD5 | ce1b9b0446f3a08ee7da17e148d1212d |
| SHA1 | 840ae9cd4338e28e7cb7216a9c9baf2d4bf2a010 |
| SHA256 | 5525ee31bb7828710b63c9f0ff4e75188ad9abd0f087271b63d0dbe290cab818 |
| SHA512 | 7f673e16e2017855d0fe275c67184f304a53dcf9be4112e6de5dfcf37f8633fe8a0cd03162de55047edaaafc36a7ea62a9213744e6438a187d5cdaccf7140af1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
| MD5 | 8a30a1fdd0459d9ea8b1e78a8e636856 |
| SHA1 | 9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20 |
| SHA256 | 88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33 |
| SHA512 | b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 80114b107e54a0edabedc2f2c318bed2 |
| SHA1 | 422c8a01f10b5c3eab4b2d06c9086f0a1f5c015f |
| SHA256 | f6a4e2fc57f42ec5f7b7bb6f22d4eb342636eb88c6d546e30524f7e76ddf980e |
| SHA512 | 95cb69d67ddd927534960b5f2d9d74d03d4b88345946ef64dd19495feb9e8b4c98f9243cd7abc99e325a530e26f4408c84f576806e3fee90a9059b63d7598dca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
| MD5 | 24a6403967b6810f33a87ad0087049ac |
| SHA1 | 9b62990d94e668b7abd582c110b811ebfd0d6511 |
| SHA256 | 192663cc1b1dbe6ba14bbba5b7ddc50384f69400065327f79f5fa4678e3a5a78 |
| SHA512 | 40f4dce238e7f22a7898877d340c87a7465853430de2ffd422e8efc74a086b3cb2a7e21d510b43054a9d10af10784a47bb2c5b8f3b6f6443e1adb59bb454214b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13363908678438015
| MD5 | b29171c93e4bba12f9439404dbd77335 |
| SHA1 | 0e6f2a70b8c988fa3bb7788994eea014eeb8bc55 |
| SHA256 | e371cb9a9346f53bf397e99b9d01166570cc46054c7564a2ab7a898f545d9fde |
| SHA512 | 3f434c9b1226ea78ce280c4c6d30d3d783f336fd4ba54d8062c3c2f0c505ba7fa8e6bf93760f68eabaecbafe5d55821e13e8307dbdd24f4438a500a2adc22f0a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
| MD5 | ea6e60354b61a9d62f1a0bcfd432f8b9 |
| SHA1 | f598436e5ac6c9cf042ab751e80c739fffac7cb4 |
| SHA256 | 659a0eb34b709f718bcbf30cab06e8e491d290424694d7bc155218f2290ff8ce |
| SHA512 | 4f1818e4c7151ed5f8784a69f48d8c11e327cc9ea5d53ef7510529ef4991266301121f5bf70f2da84f9e0ab8d189a3aaaaa5901942aca39279d08139ea4c2838 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor
| MD5 | 204ce019e13613657140319709ae07a3 |
| SHA1 | a877b074e3acbf37c29a33a8fd2253495dc22fe0 |
| SHA256 | d76f87d36072ec05a0486e16f93b0ace77c7988204c30a896aca10cf43bf4765 |
| SHA512 | ad094524cd04e00b748ac389e98f104db9488c0fda7ac961be42d15eb4dec4efd8a08ead7674aacbead5794de855fd1749076cd0cec42917722c15229774a38e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6d8865e321af157f2726cb05a5652366 |
| SHA1 | cbdbba158e9082a28e50516cfb9c57096147e950 |
| SHA256 | d0cf9cd9bd24aebf033721ce2e52f17815b86b89c8a67c0292b1b897a2fd60d4 |
| SHA512 | 6de779789cc7bc8ed691a9c2a8343c6eefb315bef2c47713fec038bceac12c70de1005bbf9934df01dab54e54d8782eb868f8a7c93d655269c23e57313478254 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fcdacb12563ec642dfd88835f3d0b3ef |
| SHA1 | b4ec1d2d9a1a74f9cc7070cc291b0e5bdb642bbc |
| SHA256 | 7f4a652fbe99cd9c8bbc07eae3f13590b67b4e94fa9606d15b68410cf84a09b4 |
| SHA512 | 7a066ff4e43ea8eaa4a8d1b46a3c3efe9256c9891f338285ee96541b287a74c9f1d4cd9ac345ec2bb377e0c7517f7a47304032846bef8c487510675bc2fd4cf3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | ab05a6f1d865afafe17aae5e1b588464 |
| SHA1 | e8f88f906a91a13cd13b834209f93eaf1f2f61d3 |
| SHA256 | bd85ea17b642eae153e5240a1041c0091117dc761b6ba05494de98725ac91fa7 |
| SHA512 | 01f9a9a8b4e8573412d1f388acf681c6bb07c7a6bd46b94eadce3f6a6cc1969a3aaee54fc32c40a9f71de5d605c56fd0eef29732e2881ddf1d1959ea56198aff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:55
Platform
win10v2004-20240611-en
Max time kernel
222s
Max time network
274s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGuid | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
234s
Max time network
254s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mcicda.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
2s
Max time network
27s
Command Line
Signatures
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"
C:\Windows\system32\netsh.exe
NETSH INT IP RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV4 RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV6 RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE TCP RESET
C:\Windows\system32\netsh.exe
NETSH INT RESET ALL
C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
C:\Windows\system32\ipconfig.exe
IPCONFIG /FLUSHDNS
C:\Windows\system32\nbtstat.exe
NBTSTAT -R
C:\Windows\system32\nbtstat.exe
NBTSTAT -RR
C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat
| MD5 | 95e33c4700e0c94a4225251858b8bf49 |
| SHA1 | 116d458fa09f1f7338a6303175e26e94e068c560 |
| SHA256 | ddab15d142c77b1c060fed8d8561dadb7e2d70615a096b83e9299f5d4c5d2706 |
| SHA512 | 42c65d35ee3b7c05188814aeb8717a2e6d18b14085bb824debe1819e5119f82f1de08a1c8c13d159f2719e2ace314e209b9992abb5e908588ca03af01a91b370 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
203s
Command Line
Signatures
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /release
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul
C:\Windows\system32\ipconfig.exe
ipconfig /renew
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c .\reset_adapters.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
276s
Command Line
Signatures
Clears Windows event logs
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5062.tmp\5063.tmp\5064.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
C:\Windows\system32\bcdedit.exe
bcdedit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
C:\Windows\system32\wevtutil.exe
wevtutil.exe el
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Store/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\5062.tmp\5063.tmp\5064.bat
| MD5 | 064bb52705e97caeee4dcbb5c72c1413 |
| SHA1 | 13107d14185397ad662c08dda51a0ebe7583fbe8 |
| SHA256 | a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26 |
| SHA512 | af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
222s
Max time network
207s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lz32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
0s
Max time network
308s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\System32\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\system32\findstr.exe
findstr [0-9]
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1E4CBCC388F6 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
C:\Windows\System32\Wbem\WMIC.exe
wmic nic where physicaladapter=true get deviceid
C:\Windows\system32\findstr.exe
findstr [0-9]
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
C:\Windows\System32\Wbem\WMIC.exe
wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
C:\Windows\system32\netsh.exe
netsh interface set interface name="Ethernet" disable
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat
| MD5 | 8ca2de2e300d0f8b61645529ffc75551 |
| SHA1 | 058f24d2ed2016d5c8a137a5853065dbdfded102 |
| SHA256 | 11e99c0caedf2b03d3c9e10c4f533a5a5a02054c0b4640e54463722474f90464 |
| SHA512 | 0fe3044f7c1c4a00e4365a3f3d97489fb3931626872fca77b0f9e17bdac42ba91dd09187ea1fc2e6f1b103f608b1d80faf45d63478a22a8788b3ea9d7f6d1885 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:55
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im EscapeFromTarkov.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EscapeFromTarkov_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BsgLauncher.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23565 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 22895 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\ARP.EXE
arp -d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat
| MD5 | cf83e40a1338ad5be3af61a5f882664d |
| SHA1 | 479a7b4bb38725f7949647161017d42fbd630ed2 |
| SHA256 | 5f283ef150cd3675af8bb98ae1f270b153ef7c622d9cf86b5c84288edf6743d1 |
| SHA512 | dbf2ead0709bb6542a45f6dbc304ccdd8bd0929a48754880a0dafa18d32b427e1d416ecf695bcebda5583bb37632781bd15fb0fd1c0bfbc584dcd05916604e4e |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
270s
Max time network
279s
Command Line
Signatures
Deletes NTFS Change Journal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\system32\fsutil.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spp\store | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\WRITABLE.TST | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING1.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\restore\MachineGuid.txt | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\OBJECTS.DATA | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\INDEX.BTR | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ResPriHMStaticDb.ebd | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\MICROSOFTEDGEUPDATESETUP_X86_-A43309D3.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgGlGlobalHistory.db | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DISMHOST.EXE-C4BB17E2.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.setup.log | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-E30816F0.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ReadyBoot | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\VERCLSID.EXE-7C52E31C.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgAppLaunch.db | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-96A7E1CF.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-56E309E9.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgRobust.db | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgGlFgAppHistory.db | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "337e3303-dfd9a03a-a" | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = a01605f6d93e56e9 | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /d E:
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
C:\Windows\system32\net.exe
net stop winmgmt /Y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /Y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 88.221.83.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 193.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
170s
Max time network
299s
Command Line
Signatures
Disables service(s)
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\55AFD5FC355BAEE0A5E9A1393CC477E5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\85E0871D8075E919F55DCF2DFB641E6E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6B1F2DE3976B69AE13C438DEE2C6EBFF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\35EB6C02B117E434146AA8FBB46726E5.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\61EE6F125EE84F973323047E63234C4B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4A11A3EDADA91AB03265FADEF0200D75.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C2E802292DC93400E19D1C12F90D0AF6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0A9B9F39B61FEC73EA8A27C11BB272DF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4A870B469F34065CA18AB1FDF6312BDF.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\7BE912068D7A19BFDF3D3C5BC12E7629.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C154BBEB58D93C7D77FC22860A1C9C96.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A9504475746A00F21135DC17FF7DBCD6.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BB8DB31CD558B86889B6CACCDFE45A90.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FDAD11DA772B0E5564617898F2A02617.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\6F096B7D28A95FE5E8A47222B749D137.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\21A91C51247EF25C7B76A7BD92E72AA7.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\18AF8463CB6C0D2BCE6F124B85344B8F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\707EA99CEA3ACFD4EFCBBF42CC729B41.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C516870CE658DF2E471B36157EBE5227.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\11FEAE420A4698D76F6D8B09A28F5DAB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\40CD8A341670967C555998737DB91D5B.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\FE084724C4570F004BB748191F501852.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\0AE46452A0B3D007DD847D7722347162.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\8C758694767A6F90E85D060DE0636B66.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\DEEDFA8A96B3396FC0902AF10A575F0C.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\45D7D3B7EB0F350515C83365C736C679.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C1BF66EB0451A8CD07AAC77EC68A4043.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\647E7970BD0F5F9E661068CA6CA7F397.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\92A3E2BF6266CF87720E211CA012ECE7.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\453A436331E0AD94D090421533AB4834.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\7FBCB2ADAF817B3D9CAA1BE9E18B2495.mof | N/A | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\F2ADD0A29CFF4D0576A3741D9AE1C8D3.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\5C6D12CB3AB0D3EDC8D28BCBF9FB244C.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E85AED94F7A581A1A02F7322094DB3D0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\A2D31C6DFEE120FEFFD73724708A4827.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C9824ADC136E4798F4F76A6D48117DA8.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AEAA953C34E29428F04D9906CAFE2169.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\46085E5E756C882D3F6F01D32A3F8D24.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\2AA348C4498C38E2242F58B3308E99E0.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\E33980A0BAD9CCABDB2824A369E52141.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\BCA37BEB911082EA5B73C872086A3B8F.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\32EDB8E30FABC609FF04D61A0874F112.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\3EFDA7C55DEFD2F318D8896068CE2363.mof | N/A | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\44508344C91036373A90B667F2C4D1F2.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EDBF963FB003D0670AA9C2219BD091FB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4BD8FD21402CA06647542C55D47F6E47.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4E7FA4A0256D91829AF21928EC5BC6DB.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\4D557966BDAFAAC1514C928A826375F2.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\B6C73E699C04F876FE75CE460B046079.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\D911EF9E5112E7DA316F0A12476F1ACA.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\5442505746A43B11366F9F8BFE38F703.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\AFDA9D2CA693B44A2C46D80A3E311ACD.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\9635AD802704D06E888CAB79ECF17188.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\wbem\AutoRecover\EC5052FBA2CBD13E0EB25DC4C89850E4.mof | C:\Windows\System32\wbem\mofcomp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\regsvr32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WBEMComLocator | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8EC9CB1-B135-4F10-8B1B-C7188BB0D186}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE32-7500-11D1-AD94-00C04FD8FDFF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\ = "WBEM Scripting Sink 1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC9072AB-C000-49D8-A5AA-00266C8DBB9B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B38-CCCF-11D2-B35C-00105A1F8177}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\CurVer\ = "WMICntl.WMISnapin.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92B9503D-19C3-4181-9F42-57FFC1A4BF37}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\ = "Allows configuration and control of the Windows Management Instrumentation (WMI) service." | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemSink | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{580ACAF8-FA1C-11D0-AD72-00C04FD8FDFF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer\ = "WbemScripting.SWbemSink.1" | C:\Windows\system32\regsvr32.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\39C8.tmp\39C9.tmp\39CA.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\sc.exe
sc config winmgmt start= disabled
C:\Windows\system32\net.exe
net stop winmgmt /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b *.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s appbackgroundtask.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s cimwin32.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s DMWmiBridgeProv1.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dnsclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Dscpspluginwkr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s dsprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EmbeddedLockdownWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s esscli.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s EventTracingManagement.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s fastprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprr.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ipmiprv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s KrnlProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMAppProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MDMSettingsProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Microsoft.Uev.AgentWmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s MMFUtil.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofd.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s mofinstall.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msdtcwmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s msiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NCProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ndisimplatcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetAdapterCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netdacim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetEventPacketCapture.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netnccim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetPeerDistCim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netswitchteamcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s NetTCPIP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s netttcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s nlmcim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ntevt.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PolicMan.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s PrintManagementProvider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s qoswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s RacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s repdrvfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s schedprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s ServDeps.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s SMTPCons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s stdprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vdswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s viewprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vpnclientpsprovider.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s vsswmi.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcntl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcons.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemcore.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemdisp.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemess.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemprox.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wbemsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WdacWmiProv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wfascim.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_EncryptableVolume.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s Win32_Tpm.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WinMgmtR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRes.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiApRpl.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMICOOKR.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiDcPrv.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipcima.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdfs.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmipdskq.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfClass.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPerfInst.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPICMP.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPIPRT.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPJOBJ.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiprov.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WmiPrvSD.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIPSESS.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s WMIsvc.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmitimep.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s wmiutils.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
wmiprvse /regserver
C:\Windows\System32\wbem\WinMgmt.exe
winmgmt /regserver
C:\Windows\system32\sc.exe
sc config winmgmt start= auto
C:\Windows\system32\net.exe
net start winmgmt
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4556,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\aeinv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AuditRsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\authfwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\bcd.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimdmtf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cimwin32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\CIWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\classlog.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cli.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\cliegaliases.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ddp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsjob.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dimsroam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\drvinst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dscproxy.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\DscTimer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\dsprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\eaimeapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdPHost.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdrespub.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdSSDP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWNet.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fdWSD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\filetrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\firewallapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\FunDisc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\fwcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hbaapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\hnetcfg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\interop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipmiprv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsidsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsihba.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiprf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsirem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\kerberos.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\krnlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\L2SecHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdio.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lltdsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\lsasrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mblctr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mmc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mountmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpeval.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpsdrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mpssvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeeds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msiscsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstsc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mstscax.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\msv1_0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\mswmdm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ncsi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ndistrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netprofm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\newdev.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlasvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nlsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\npivwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\nshipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntevt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ntfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PolicMan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polproc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprocl.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polprou.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\polstore.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpendp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpinit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rdpshell.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\refsv1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\regevent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rsop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\rspndr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\samsrv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scersop.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\schannel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SchedProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\scrcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sdbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\secrcw32.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\services.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\setupapi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\smtpcons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sppwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sr.mof
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\sstpsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\stortrace.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\subscrpt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\system.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tcpip.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsallow.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tsmf.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\tspkg.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umb.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umbus.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vds.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\vss.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WBEMCons.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wcncsvc.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wdigest.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WFP.MOF
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\whqlprov.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\win32_printer.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wininit.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winipsec.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\winlogon.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Winsat.mof
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wlan.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WLanHC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmi.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipcima.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipdskq.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipicmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipiprt.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipjobj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmipsess.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmitimep.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdcomp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdfs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdmtp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdshext.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpdsp.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wpd_ci.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wscenter.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgent.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WsmAuto.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFx.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\xwizards.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D17F2812D61D6A27510A5356CBCB2C6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D39564B78F00E3F6ED4B4A5662781B2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D3D7B63AE783F3DBBD4FD9F43301BD1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1D8E83D3077F05426D7F5E7C92A52BC2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1F539B7D89D5675D5FBC71A5A1E7C62D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1F5D7EA255DEC718E6C93AFC61039C12.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\210892B3C5033337B5C4FCD68AA35128.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2215A345459824E0504DB85AEBB502CE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\23FFA2BEE2CFCB552EEC22762785E6B4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\28DFEEAE5E755E081510079AEA4BA2DB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2A2AB14E79261C4C2272F4B50901244C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2A8F8C0C68BF867A9E2A7AB38260A4F9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2C688638F731D0D535DBB9DA2F979753.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2D1A849208186237BBED16B3B5D7238E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2DB099F474FFAB578AD726E4F2905FED.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2E60A4684212330C61E1E8704A619754.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2EC8433E19B30A13955120CB32A18CFC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2F0CC20947142CB05C49044919898802.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\2FA567F6FE2F89694B594B3FAC75D6DF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\30A5229E4F736548D2D9FA13F92C9A82.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\30C22E5728F64CE0E1605A4A77934948.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\30DFAF0BD5AD387D985719F41E186AD5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\31998CC82EC1ED985097054B275161ED.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\32057A09A1167F6F66F16DA67DF1C918.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3209C3555EE020AE8FA1C869C6A591D9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\320EDC28FFEC3C708AB2DDE6C70FD624.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3281CFB9A42D9486C40C0A4D010D65E6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\33295A3A1D28CAE3DFB6C5167CCAAE6F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\36AC724DE559C5D39EB46462A440D4E5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\379E5EC415D0E0A49EFDD4B3564BE048.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3A75BC18F00746E3EB756A5A8AB71D56.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3B60B0417CAF81D69389063C334577F1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3BBB431B659936EB58D4574BC05768CD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3C03DD39D967893238742C503189BA92.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3C11F3A2BFB9588C467B72E02345362F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3C90AAC6E581F57E99B164C33906BD30.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3CA3E3E8C27409E2288B236F5F414F56.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3DA405CE6ACE7B7A8320D68D317B9729.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3EB36FAFDAE870DF05542C0B4AAAD7EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3EE2F37B4639F4307BAF0C707B092F7C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\3FFDD473F026FB198DA9FA65EE71383C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4001CC0C4B56CFDE0493013FC1D9DD0F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\407E61D88570FDFD5EC8891DBF9A3EBC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4136DDD03841D93F3D820441F60BE055.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\413CED83449192A10E66EAD24743140E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\42CB2CBBDCBB0DB751E51FF6B279C524.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\430091E25BA6C7FE2FE5DC31776BEACC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\435FA4D2CAB38A1853F91A3BE8F89D4E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4371EC94BF996AF79B062599D10C927E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\43EDE2715871F08D0BEFB4C9DE69E247.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\441A12A68AB1A20902A131356BA4CF30.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\44B487D5879BCD6C593C9066936D12AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\44C46B87678291B7CFBF7D8A6452D98D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\45277ADB2DA919AFFF18833506353174.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4552656C2901FB1533D6679D49B69929.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4561B54041D5F414CB02373F78461708.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4795058F848A6BA6FE24E0530CE2E2DF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\48959878DDCA03B0FA77D806C7C5D743.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\49C04C47AB946E0864486F81F6E251BC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4B69CC652B5189D5B2136DFDC5369593.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4B95063FF713676A54E7221DF8245C78.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4BE30AA8CC2C4C06B41336B9B3878B1E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4C3FFB127B4E9B67BFACD89178DE3DA3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4CCFEF2D31696D11C8735BD7C8BE14B9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4E8CF66DA5DBCEE8F47DFDDF0B14DEC0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4E941341E008BE47EC9639A14271EBF0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4EA32ABEBFE9B0697C450693940F1673.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4EB0E9424AFEF8E5D68D78C36620E253.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4F4AD4093274B7A7FF28CDBD5AB3032C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\4F7C501B863AFCFCE3AE018AC07191F9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\50B277BD2B3C116DBC38CC2D1EB7D427.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\50E7AE0A90085737B8F04CDF9460DBEA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\50FC9EDA1918FBC981D89D0390125308.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5241D310A7F9B793E5E9EC39E65B7B44.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\52DF56A47A08AD380228C64827D24548.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\531218B396F02B35771F8AD1965A574A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\536E5C7121076D413E48A32D54E26EA3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\53C2FC20B111DA763C20CFDAF7624A26.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\55B1D144C8C3666C687E454A80906ECE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\563EAFFF3BF92CE3F60EAEE4EB18BBB3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\57985F4723464E47CF133A601D28906D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\58766C70A633CC3A5AC9393E175CA63A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\59481CB78111FB31D37EDAC9647FAFD8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5960F40D2AAABA9E743AFA7294468C25.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\59A5343CF85A83AE1E7B5EAFC71ABD66.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5A7BC66EEC954487F6D9911DEAF052BE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5B18367075FE563AF4A12EA837278D84.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5BE557A291C3EEB7FE628D8099DD0CD3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5C81F6E368BC71D1D45E2D9206EA3FD0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5C8CE9E608C8192171A5B93767FCC960.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5CFEE986112963509926EC8912E14D25.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5D75A4D5A6D14E6061698FB7BED0446A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5E69759D567F673B36A59095A347BF07.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\601C41633EC4EEE1FFE41D65491BABD5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\60B3B69ABC4366405469AA15F5B33006.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\60C90B334F5FD0AD576CC5FFCECDFA9C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\617D2BAEB248E81618E2D9342B7323AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6199F396C445A25AF1DE1CEFFF072560.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\61D0174ACBF8E43615E6DF8019C0583E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6340973172727B5EBAF0A64E92C26B73.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\63B2501D71A2DE162EA12C3CACF8C488.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\64B4796A957F50D8E37415358DC4011F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\662DD1E431BC9D4EB784D7D662BF5114.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\66501D267ABECB2CF3315642D1881501.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6717E3CAA50A3943B61329778C1DD781.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\671DBBDEA9073F2E4CCCFFF6957044E0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6780F8CDE9A603E0A830C9603F2F4D0B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\687CF9D31E514545A07747EE9CC567AB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\68882E3FA69BD52620343D172BE84815.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6BCCCB82E5792A665667D7E41CC45168.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CC07C0289722A5549B9C30F76C249FF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CC685AEFC129C8DD86F9036F17E943C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CD4AC2A2B648ABFE8F2F90A5D07829F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CDB91CE30082B98FE1BEE23E422804C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6E5FACACD2BA0A27C7AE761291F7BED1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\6F606DA76B5A34FEC3A95B874DC14C2F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\70138AC07076B005E1CFA39BC5BD9175.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\71E680EC580A0039A775A378ECD836FF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7282BB1A61AFF7E0656732EE80CEB6FD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\732BD24D0DF3B5E7191B301E55CDD6D6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\739CB6904442C4B4092104AACB73DBB0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\73C8F1FE9282D72F1684DA13FF1346AA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7450D0DEE62770FF1E5C905B1BAFD42E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\74AF2F8E62D0745F958B573494C439C8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\76118EA7CDB4BF4005AD84DDF6CE2E66.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\76367CD152E34AC3DD8007741C968AF4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7716BDB243C38A4A24E728B3817AE0F1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\77E1FE7C589B0FE237874F7EE517A0C1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\785C9F9CED5D122AD92D6BC91312F7FC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7891546B010C902B9C8DE33F55F71498.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\78C249F8A099AEA6A25F33F09F50FB47.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\79EF8F616077A833BE2747809180BFA5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\79FE6B25E5B132F33880B7F44A66B758.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7D8C933AA5FE34FA3316DA4B6E09E654.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7E19C857E35FA8D70E57B0F1CB21E5C7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7E856BB33FFDA1141B90AC29735FB9FA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7EAB83B6B5BC37690D2D1B3E22DF7D9E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7FAB1F3A2B36D6EA27A3DB4EC39C7BD0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\80571CB6E9439E1C98BA9AC3FA28D3A9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8096010E847A7DE3A3F69A61002DD563.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8151A5CF9B90099D16EDB3EADE4C8CD3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\81FCAC08918AF581FDCB45931E356981.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8243D67DDA3785DAD59ACF70CFC203DE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8266DC592F01723A90239C659F1FA6C7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\82DA351296066664DEB012FCCF6D07AA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\82DA415A8C75204A2D758E6DAD53BC36.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8349431AF468BA55DBFB84FC50CC17C5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\84EBC179129822B0E00C47B7528F1FDC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\84FD82C473BCBDEA6CFCD53DF80D6022.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\85917F125E29280A85EDFCDC3B0C8170.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\86F4330E57637679ACB9F17E5F9481D1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\86F83A7235F3DC2A6FCDEC052E1E1C74.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\87218B3AEA759A53DCCA78D6B9BBC66F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\875B0EAE58DBE30E13A8DB610457D0AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\886EC825992F9DCB7AF34306DA80E12D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\88C20208CDD4638C0381F2B7EC657564.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8999FA8F96032A452671DE654F9BAD9C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8BF0E140F8F40D230143B569A1BAE507.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8C11323D7C773C8A79C1C61EB62FE331.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8CB4C42331F0F4BBCC8E1580131EDCE2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8CBA2BE847D0B28A440C5F24567B0891.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8DB46DD597956632ECDB18D7B2BDF70E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8DB9DE86229327C5777721E4A01FB6B4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8ECBCCCC7B4A9C11EC33A03B6E25EA5B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8F1ECB08E7908F5D543B0D9386C0EE1B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\8FCABF54BDCC2D55C8203E3B81BAC5FF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\901B1F181D1D82C168094975DEFB52F3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\902F9B116F0B37B699E9A1D4BB1E2784.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\90B516E096C71C814FF03EE3F4B20042.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9476FC534A628F39C9E25CA2F2B7B45E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\953349B5ECB359DD058D07088EA31408.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\95C6129A16411671ED974764CC24C800.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\960C76B3B2B322906970277571EF6F3C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\966B95F249EDF54D9BE98C23AD9B758A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9694C920807304FD0F9730304298FBFC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\97479A7EBC4B4FA9A0F0C7EF9A25471D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9787DADF23D03D83A63DC8237E63E3EB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\97C10655E91CC076C4E294C0127D974B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9823053171CF53F4038B0801004F87BC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\98A650FE1443CF2F953B6628EE432373.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\99BB0F4219E2381969DCE76BF639AC68.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\99BFB05D8CE546325B5205C32233A3BD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9A977B776702BB9FBB29D1FCCF5F778B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9B1ABD0CEAE78416529CB8D77CEE7B3A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9C44AA8B16C47059241530441BCD6DD9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9C531048714B59E157A371D1186F796E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9D40E5B032950BC9770539F90AD86275.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9DB628ECA9373F2BA3BCBB592AF60665.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9DEA7F87EAEC9FF8770E55D5A6D8CC91.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9ED719089FF4652F4929D88C64B6A1AD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9EF608904C4706610FDA20D08530978E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9F39E54D6756FE5D64BB6FED194D0894.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9FC7214EDE76F8AE24F96A8195852557.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A03E3718C1B8425EB481A1EC4850275F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A067787F4F1B728DE125898181C42609.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A0A63361726BDAE3BC29B11F7526AFE6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A269D70CB8C799952AAD6684D1506485.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A39A3B3270FEF11AE8ACF901E67BE359.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A5B62AD916B641B7A8365E1C7C9C7544.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A5E0C63B1E67223D493A65CA08D7339B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A71089353F923E1FA26964C3E8153739.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A7D7570238274B86C73F2E9009BDF74F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A808A31E629557CF0D5F92D5D87BD706.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A837677C21EC0ECFEB9B10CCD2FEB0E5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A97B345CDEAABDA620BFB72AD2A07100.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\A9FBCB4593D76446A380C3F3421BC2A7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AA10CCACD6B301F2187572F1FD684AC5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AA510EA6AD14A8BE52A7D659281F9BF3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AB2AD61FC9800DD5C7751E4270E02730.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AB545518DC0F250493CCF5B36A459568.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AB947196AECC60D0365253863489134A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AD4ADD965106D211E524A76F9B368A14.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\ADEE1E4F403A605328D0002B7C6CA9C7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AE796E3468AD0D0C250FAA45259E22DB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AE8C8067E61E868B002C481CE87EBE05.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AF451AB4377D22C64822DE9E01B1F4E8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AF45D4D704EA10EA55742D1B3C8C6CE2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AF8191ADF52F4156FF8D54FB39842A54.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AF83007CC746311C7050A636C44C02DA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AFD8B7D322EE2A1CB2BAF41EC0ADF626.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\AFF15E95C194C0034BFE43E5853DEE63.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B0ABD547895829AB29B56F0812CBB823.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B0C53BEE6C437337AB024CECEE878418.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B10EF7584FC5D16C42403B0CA5BD4DFF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B25479026E9AAB36CBEBFF51AA0E32B5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B308B28244CE4219C4C6B3315FA83200.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B48FFF8D8BB2AE842F6650E8DE95B954.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B54261EAEEB4A0D8DB966E20CBEF7E52.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B551DA824528E06A014274837CB2A9CB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B5DC6196F95A004EDD1453C12599676B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B6752671A157884075FCC12BEDFB4D69.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B67D454E426E9AEB60ED08DCC946B44B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B6AF1E27DD1C8095A2887A3BECBB76EF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B7840CBF63A47839AD6AD9F714E4D9BB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B789D76E1E0DE4569B56F6FE22E05621.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B7DD4F9016C2EF03ADB325C37FC76454.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B845DD492B0CE12D87559CED569DE6B1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B8870014FB74FB540F3C31EA907A2AE7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\B9B14FBAD84A7125C53EEE7706842C5B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BA42233C2B9592211C49858860047F3F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BA4AF8E4FEBF32A044146607E11B336E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BAE93F9B141EC7983B2E3379E3E9119E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BAE9A5FB11B68C3A726881B291D669F6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BB9039F6B76054E97E7EFE906C52DE12.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BCB9C29787770EE14EFCAC19CF508F66.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BD5A24FC505850E33FAACDC4DBFAD85D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BD818313E410FD46A9F63786A32AEE23.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BE8B60428F91B5F96E778F2B2C2832A5.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BE8E9D8246C687F5C062F5D47DA1199A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BEB55E5308BFA4DC17987F4D0DF04295.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BEE3F1CC0769E4FD5954E4E649614722.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BF15B53EBA3B9699B34F0453D41230A0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BF7B61BA8D8284B7D0DA637AB41F6C96.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\BF7BF74A57B2030A3BB9979E14C311F1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C03089ABF5861ADFD1F7C923D2F9A153.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C08E9222775EF82A98E5CDD931ACC633.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C09DD3CA03ADBEEE3ABD0ADF668D9848.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C0E71AD79C7DB91864FCD17ECFDE1E10.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C1A0E85153900845F7BA78472B952007.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C1A41FBCA25E3E6CC4CD22064882728F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C1D36889746E38D1BC7C314F51AC80E6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C1FA58EA827D44CFBEE4F63536677F65.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C23F41A19D7EC249FDA170C05916CB8F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C25A6E589BBE06A55DB5B350B80152B1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C274B92CA0AA0BC1531712AF28602FDD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C291730B7DFE0290D98702FB8F8B0F1E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C2CD968A064AA98DCC1CC37592A142C7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C304206E30795E3A6539B5DF349C4270.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C39C0F5D0934BAE90B29A93BEADC257F.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C3C4860D945FD1716E55A2D7AFA8C55D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C3F80855FDF5A3E423EBABF12EB64064.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C40B30214E633F7974F2729FAE1BC67D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C54E46EF4D4F454E2C3ACD269B67494E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C55F973EDD4E17F6A7CA6F8DC77AC2E8.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C5A7A3340CB4BCC7A5C994052DAB1A78.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C67614C3E48ABD4BC9E709E2CEB2CE53.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C685465F4F6FC210421DA7E9DD550821.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C687C1EAD6B670CCBAA60909B89F62CB.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C70550846DA118E1E660A10136A7ECA7.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C77491DD5CBE96FF7C3528A0FD4A1410.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C7999B0462D8EAC32E2ED3A9D0017C97.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C7AD207ED7993A4809373AC7E5784F42.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C8306578B5F0D111675384D271B4DAE3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C87E3190BEFC663A6A04D6D857ABE30E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\C98344F72C7B0FA5F30F1BF6877B4E25.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CA1BF3536958E01F710E5995DE6EBE31.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CA519EE48C39BDA3C1538E5565C377FA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CAC0434A24FA3D5F69B4858EAA050C64.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CCFBB6F691A0FA96C5B605CD9D80173B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CD3047E52420EB014D24A73F8DD48F55.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CD658FA16F96D4466BFE68FCE874D955.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CDB59C31DC153347DDACAC08113F8015.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CDC6E4754252FF7D0E8F3C134D265A60.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CDDB319981A500F42CBEC98CD2362007.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CDEEE4A36DD31A28218DBF5A1A529CFD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CE096445AF8F836B82205BD4E80E5A94.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CE7FA5E0DC28E4C7BB0A2AA22DE05392.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CF3C74ACDD4465D23E06A73A9D97DFFD.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\CF4667947FCFC2F62078D3B85CE7EF10.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D003EAB9BB96C7DF227404C6B2582455.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D02971809B01C7E099D44E7A1436F997.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D05C15A4875D58D36F57187E7FE4496A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D05E5243F9713AD9C0F710C5DE549BE2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D06E9123D0C50409B7B9F35A8222CADA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D0E5935486BD6AD49D80F66B81B985DE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D17469C68898749E23D53128870A755C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D1C240EDA191362672EF6FCCB9725F85.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D2412702F385FCB9E6709FB33EB27BDF.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D2EF06310A52FBA8DF0B6BDFC0D3C664.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D2FA07FC4043B26B5CB97692C2AAFF12.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D3B2EC2F727A45FED5DC9D6BD0BC833D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D48232953788C625160D278B29B5D73D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D4D422DBE282F1B12C3A82517EB0D59D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D4F56CCD124A6B24576AF721B0282383.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D566F9B651B60AE7D0B5DEBF57A90E35.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D64EE91A31A31FCBEAA727029795B289.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D69C7ED8E3B896ACD98229CB4DC363B6.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D6F45CA88F2F5527EC301A7FA3FF5B8C.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D75AD6809E604BB6F018E54A8482C928.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D7B94FF620323D536A3B99CCAA6B78DA.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D7E06DA4457A14F49A9A996F22881130.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D8401E2EC2C3AFBC1A21717167BA8734.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D8D1C602836BEF743D38740FCA8D4B8B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D92BDDCE5396A2FDB5F2208AE47E7CE1.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D9D86DD1D8501C39B4325827BB6F2270.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D9DD8F6664E786227542BCC5FCF66D2D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D9E59C2E17E0CE2AC75DA8E34E9214D0.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\D9EB7BAFBC23534E43B93A69CFD89687.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DA27AF57C09E80A784709AD6239EA23B.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DA54B44152345FC1E1817702B2A34D5D.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DA5B702F94B3636728C005C0E5C0A6BE.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DA736886F13A0E2EE2265319FB376753.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DAC96F2A49E2484740F118A3CDF28EA3.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DAEC8125C10A9D1FB182920A9FDE141A.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DB347A2F84FBE8E0965F9BCF8D6FD7E2.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DB81A681168E125300B192421B05FF69.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DB9B568A06C456FE484FF58A5FB76350.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DBB76BE22686E5E05D908137FA7CB031.mof
C:\Windows\System32\wbem\mofcomp.exe
mofcomp C:\Windows\System32\wbem\AutoRecover\DBC6F0EF775A987FD56E1909BCBEF6E4.mof
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| GB | 52.123.242.9:443 | tcp | |
| GB | 52.123.242.49:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\39C8.tmp\39C9.tmp\39CA.bat
| MD5 | 37893f40606e44ae8c4df07d20ca87bf |
| SHA1 | 8d9cf4fe4576756d623d3b39c947e92b24f40794 |
| SHA256 | 7ddce7b8887d0fe1ed38e3c7e9a9f8e246f3f8f97198b100429762ad842621db |
| SHA512 | 1eafda889387ffb95e85ccdcb61037e7092fbd7b256610606b951994835424fa606f3c39397b8df79130c6073fed5505ab07edbc1d7309a28fd4a6e608c9a77e |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | a656a56b1fda4aa28383160ba6ebea3b |
| SHA1 | bda09bb6f5f28f5470147113e93d46a02853dfe1 |
| SHA256 | 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318 |
| SHA512 | fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | 1cc4c3b9bb1657be77939f0b565e315d |
| SHA1 | 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25 |
| SHA256 | 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a |
| SHA512 | fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef |
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
C:\Windows\System32\perfh00A.dat
| MD5 | 4e62108a0d4a00aa39624f4f941d2595 |
| SHA1 | 7fbff1d3ac293c715a303ac37da0ceb12591028b |
| SHA256 | 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263 |
| SHA512 | c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh00C.dat
| MD5 | b87c7ea0e738fc61eb32a94fbd6c6775 |
| SHA1 | 0e730aa70900f623205b93cb1d6e11be4c0d51b5 |
| SHA256 | 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0 |
| SHA512 | 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d |
C:\Windows\System32\perfh010.dat
| MD5 | af84da8efc4350425986bd8d1f9e4aa2 |
| SHA1 | d475f5d5003d2152d8f9d976fd762b474e0857fc |
| SHA256 | 802e68c2a17427e31589ee76fba78534fa56612d7b20dcdba0c468b06be13e75 |
| SHA512 | 6ef39476f69635ef1891deb43f251f4077030b3478d771409c84940f9f6128ee4850ee04687cda923816421935ba3cd06ca3e381a3af9e3e17f105f5aa9fc7c6 |
C:\Windows\System32\perfh011.dat
| MD5 | 906500b906ff5714abfb310609a6207e |
| SHA1 | e085597f06df2b986f482f37d6077247d76c0cba |
| SHA256 | 82df03abd566227a4ec99ceae023f79d5886e93b425ecc4a54f53452593f60f1 |
| SHA512 | 54c5b7cc290aeb34c93c7c1301d90aac2a1190d6e92893b86264682d91930df9e91c644a00c566841031efc3a0c71322106b8c1ce679e026930094c778e77b96 |
C:\Windows\System32\perfc010.dat
| MD5 | d4b57c62c54e6f62c2239177730248d8 |
| SHA1 | 7d81fe1eac0d666aaa01064cbcdf51c1d44db819 |
| SHA256 | 7fb738ffc037deb30ac1aa843af1dfed6772fcae0055e409ff6f5cd7b651716b |
| SHA512 | 9939e6835587f814ab575a4ba616f151ef649bac79b207b3536fe38228ebfd55ce50d1bd17d4dc3c11aefc8d421a7c20bee13ffc4a314915a7e50a5e4ce13e6f |
C:\Windows\System32\perfc00C.dat
| MD5 | 6adbb878124fcd6561655718f12bff5f |
| SHA1 | 1711619dda04178fb47eea6658da6ad52f6cf660 |
| SHA256 | 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf |
| SHA512 | 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
274s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\serial_checker.bat"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\getmac.exe
getmac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240508-en
Max time kernel
3s
Max time network
4s
Command Line
Signatures
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7678.tmp\7679.tmp\767A.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"
C:\Windows\system32\netsh.exe
NETSH WINSOCK RESET
C:\Windows\system32\netsh.exe
NETSH INT IP RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV4 RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV6 RESET
C:\Windows\system32\netsh.exe
NETSH INTERFACE TCP RESET
C:\Windows\system32\netsh.exe
NETSH INT RESET ALL
C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
C:\Windows\system32\ipconfig.exe
IPCONFIG /FLUSHDNS
C:\Windows\system32\nbtstat.exe
NBTSTAT -R
C:\Windows\system32\nbtstat.exe
NBTSTAT -RR
C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7678.tmp\7679.tmp\767A.bat
| MD5 | 7933f4bcf196e8ef425998cc9f1a8a91 |
| SHA1 | d9a4d1d104425c5e3ccb17581351e5b61d96d69d |
| SHA256 | 15bf3321b57e08f6cc80c72e7a1ad54eea4ff27d2faccdd8dd10cc5e4adb26fc |
| SHA512 | 52f0e5d0ba1224b9ffa6bbb9d1ef365288304581d536b3187f69396049a6ff1190c4feb2ee303b5bec46e688843956532911a7dd3bb75a9cb785d4fb358010b5 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:55
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
203s
Command Line
Signatures
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\40D2.tmp\40D3.tmp\40D4.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe"
C:\Windows\system32\PING.EXE
ping /n 1 localhost
C:\Windows\system32\PING.EXE
ping /n 1 localhost
C:\Windows\system32\PING.EXE
ping /n 1 localhost
C:\Windows\system32\PING.EXE
ping /n 2 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\40D2.tmp\40D3.tmp\40D4.bat
| MD5 | 54d18c0e0a34808017e53029d7875c09 |
| SHA1 | bca96014c545bd02f964cc3dd368b5c6ce9f2963 |
| SHA256 | 6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae |
| SHA512 | 95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-26 20:50
Reported
2024-06-26 20:56
Platform
win10v2004-20240611-en
Max time kernel
166s
Max time network
203s
Command Line
Signatures
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\reg.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe
"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
C:\Windows\system32\sc.exe
Sc stop BattleEye
C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r23571 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r11624 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be2185} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee6518-4274-14890-10415} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe4869-3649-6662-14780} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r7987 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r14323 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3445 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd31774-14153-12867-13851} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE7602} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22847-11408-18915-28806} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29558-28170-31825-32483} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 14506 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 10706 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 4628 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 8331-28706-24157-21211 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30015 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5673-17434-19818-26756} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24770-3924-8685-8871 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 31896 /f
C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 2393 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 18060 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 2815 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac5684 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-17628 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac31295} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-16242-882-29080-23012} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-9530-8502-4918-19343} /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30441 /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 14683 /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 8049 /f
C:\Windows\system32\reg.exe
reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat
| MD5 | 873801eea220f0bab74d86c1eaa30361 |
| SHA1 | c5c91e41c37e53b94ba899694e95949f1bca07be |
| SHA256 | 26a8eede65d9e6a1ab4c450f8dc4be010792c13483380aeb47ef082da8a278b3 |
| SHA512 | 48a3039c93146af7f1102d5290cde08cb09c0a4d74500cf2df0050d6a68e728c3a2e00961221de05f376c044c0e223a10e2d2cf57a915662a929ba7e9345dc48 |