Malware Analysis Report

2025-03-15 00:53

Sample ID 240626-zmtl5awbpj
Target FN-TOOLZ-main.zip
SHA256 4a5b27ec785d877333ae182ea185179b3979295d6a417e62bf49ffb921ddf113
Tags
evasion themida trojan persistence privilege_escalation execution ransomware defense_evasion impact spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a5b27ec785d877333ae182ea185179b3979295d6a417e62bf49ffb921ddf113

Threat Level: Known bad

The file FN-TOOLZ-main.zip was found to be: Known bad.

Malicious Activity Summary

evasion themida trojan persistence privilege_escalation execution ransomware defense_evasion impact spyware stealer

Deletes NTFS Change Journal

Nirsoft

Disables service(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Clears Windows event logs

Stops running service(s)

Server Software Component: Terminal Services DLL

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Reads user/profile data of web browsers

Themida packer

Checks BIOS information in registry

Drops startup file

Enumerates connected drives

Drops desktop.ini file(s)

Maps connected drives based on registry

Checks whether UAC is enabled

Power Settings

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Modifies registry key

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Runs ping.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Gathers network information

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 20:50

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

219s

Max time network

276s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\netl1c63x64.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_usbfn.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\HidTelephonyDriver.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_fscopyprotection.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_processor.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\ESENT\0410\esentprf.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmlucnt.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmpin.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netwbw02.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\cht4sx64.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\UGTHRSVC\gthrctr.h C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wpdmtphw.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\sdstor.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SERVIC~2.0\0C0A\_ServiceModelOperationPerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\v_mscdsc.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmtron.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mtconfig.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\ts_generic.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\vhdmp.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET CLR Networking 4.0.0.0\0411\_Networkingperfcounters_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmmts.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netrtwlane.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\TermService\040C\tslabels.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netbxnda.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\SERVIC~3.0\040C\_ServiceModelServicePerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\arcsas.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_barcodescanner.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wsynth3dvsc.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\iaLPSS2i_I2C_GLK.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wdmvsc.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\whyperkbd.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\amdgpio2.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\b57nd60a.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\msdri.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmagm64.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\UGatherer\0C0A\gsrvctr.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\MSDTC\040C\msdtcprf.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\netserv.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wsdscdrv.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmar1.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\megasas.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wmiacpi.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_infrared.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmomrn3.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET CLR Networking 4.0.0.0\0407\_Networkingperfcounters_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\hidi2c.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\ndisvirtualbus.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\wvmic_kvpexchange.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\rdlsbuscbs.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_tapedrive.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\ehstortcgdrv.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmcxhv6.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\microsoft_bluetooth_hfp_ag.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mwlu97w8x64.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\040C\_DataOracleClientPerfCounters_shared12_neutral_d.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_fsundelete.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\WINDOW~1.0\0C0A\PerfCounters_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_battery.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\mdmarn.inf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\TermService\0411\tslabels.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\INF\c_hidclass.inf C:\Windows\system32\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3BC1.tmp\3BC2.tmp\3BD2.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3BC1.tmp\3BC2.tmp\3BD2.bat

MD5 b167ed32d02958ecb5da9970588d75bd
SHA1 9e228b33c211ee61643e8552274d02f5ed0364b8
SHA256 bfe45fae74d911a3b6be21e044f061526362206af32d608aad05d1dc0002098f
SHA512 8bf1ea0765ccc924e95f57e69e2502efa75d86242338091ca939ac8830db6b991a9b4901d7c1a83c3fae6eaaef27a35f462abb32d2a5913203917834d5be00a3

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

223s

Max time network

275s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe C:\Windows\system32\cmd.exe
PID 4024 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3662.tmp\3663.tmp\3664.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\kwg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.179:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 179.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3662.tmp\3663.tmp\3664.bat

MD5 981d727788f3a19185770ef07422f665
SHA1 c385d4b29e675d66e5e5321df58c2c2f8aff011c
SHA256 da0eed270a5528d0d85611d1f01952aee01bc5637481509e7e61cac17fe2edde
SHA512 7a49aa1647f2f6b4376ea7161d4de955fef8672bc5ae27bbdd759d0434e4f9301e46f22e8d3f02e920818999cf22cdbe05f2c9303f24c4f0ab2ca50d9dd4c6ad

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240226-en

Max time kernel

228s

Max time network

310s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luiapi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luiapi.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

292s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe

"C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\applecleaner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Battle.net.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4268-0-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

memory/4268-1-0x00007FFB6EC10000-0x00007FFB6EC12000-memory.dmp

memory/4268-2-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

memory/4268-3-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

memory/4268-4-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

memory/4268-5-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

memory/4268-6-0x00007FF76F930000-0x00007FF7702D2000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

234s

Max time network

276s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe"

Signatures

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 452 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 452 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2204 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4900 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2204 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 3824 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3824 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2204 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /release

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /renew

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c .\reset_adapters.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

198s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im EscapeFromTarkov.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EscapeFromTarkov_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BsgLauncher.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat

MD5 eb8db91c18a62f691408bb0b176d21f6
SHA1 975b3e870d68d404d6f4caefb83e0e94edff15f8
SHA256 0f0dddce6005eca40546a881aff76cddbc6b609845c1a9266f03fbdb9245cd74
SHA512 e3fc3edbc26a826fa136f5da9be1230ce2c4d6f24f7b0d4345abfdacde1f890b7592bc8dcc03758b400abed6d565528f4edecd712a205d2ad5849120275b9caf

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3681.tmp\3682.tmp\3693.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hssft.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3681.tmp\3682.tmp\3693.bat

MD5 981d727788f3a19185770ef07422f665
SHA1 c385d4b29e675d66e5e5321df58c2c2f8aff011c
SHA256 da0eed270a5528d0d85611d1f01952aee01bc5637481509e7e61cac17fe2edde
SHA512 7a49aa1647f2f6b4376ea7161d4de955fef8672bc5ae27bbdd759d0434e4f9301e46f22e8d3f02e920818999cf22cdbe05f2c9303f24c4f0ab2ca50d9dd4c6ad

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

227s

Max time network

243s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwbd64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwbd64.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwbd64.exe"

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

243s

Max time network

259s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsmproxy.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D3E131-C587-49B4-8BAE-F0EE269EEB31} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFF90F7-F175-4277-BF0A-408906B22B75} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9D72-D65D5A751C11} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46A6E50-0994-4639-AADA-296488B58AC1} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{517F87FE-597A-4672-8555-6DAF1C8C788D}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D10B48B-C531-4731-9BDE-B03C28E9C61C}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35481B58-F46C-4254-B52C-FDC3001484C3} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E796D86-376C-46FE-8381-43982EDD00FE}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D10B48B-C531-4731-9BDE-B03C28E9C61C}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\ = "PSFactoryBuffer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35481B58-F46C-4254-B52C-FDC3001484C3}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{959C5A99-177C-478E-8C3B-77E07E9BF3AA}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5A9FEE-1C29-4AAE-A6B7-FEB0E4C96D5E}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Tournament_Fixer\\AdditionalRuntimes\\lsmproxy.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A446C5-40B7-41D3-8D53-292652C04121}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98167041-8333-4947-9d72-d65d5a751c11}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9052EEA-734F-41D8-978B-E32CAD12381A}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFF90F7-F175-4277-BF0A-408906B22B75}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02E6EC4C-96E4-42E8-B533-336916A0087D}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFC351CD-3795-458E-B590-34046794AB2F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9052EEA-734F-41D8-978B-E32CAD12381A}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46A6E50-0994-4639-AADA-296488B58AC1}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{959C5A99-177C-478E-8C3B-77E07E9BF3AA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5A9FEE-1C29-4AAE-A6B7-FEB0E4C96D5E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9EB34008-F34A-4D88-BD3A-0D597908C5A4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2d3e131-c587-49b4-8bae-f0ee269eeb31}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EB34008-F34A-4D88-BD3A-0D597908C5A4}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8105B4F-7D5A-402B-AAC0-FD85DAECF94C}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1B7DE7A-4E77-43DB-AE78-96FC182FED4A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{043C0DB0-345F-4715-BD44-BB53FE1CC603}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{517F87FE-597A-4672-8555-6DAF1C8C788D}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABDE9756-B57E-4BD3-A393-C70F9ED04277}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A8A5D71-D95B-4DCD-915E-F9F6D31879AD}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C45AA3-B042-4C7D-92D8-A454106844B7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6344A5B7-EF1C-47BA-98B7-28C664427793}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsmproxy.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

278s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MCCSPal.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MCCSPal.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

234s

Max time network

259s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MaintenanceUI.dll

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\MaintenanceUI.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2312,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

223s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4524 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4524 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\.DEFAULT\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\204ecad0-2ffb-4b38-b78e-9abdba56e0ca" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\6b64878b-0bcf-41ea-9d66-e883da2aae74" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.eos" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat

MD5 406afe5c97eebaea133bdc5d9daff887
SHA1 aaf7ef4e090c23a0ea516e4a9a78491a55001d24
SHA256 96aa8694fa31eb10195e148c3eb9dc15fb6247a7174cfc0b3794c805fbd5de14
SHA512 7d7a8beb15493fc9443bfb08bb9fd25715f51deb5b3bf2e0ea22b2ae354db1959836cafcb888b59773a3a720593fca606f06176e8dcbbf0c79182a37ed30c08d

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsm.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lsm.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

299s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lstelemetry.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lstelemetry.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.114:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 114.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luainstall.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\luainstall.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

278s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mciwave.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mciwave.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

219s

Max time network

209s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mfc70.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mfc70.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mfc70.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:52

Platform

win10v2004-20240508-en

Max time kernel

106s

Max time network

114s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\FNCLEAN.bat"

Signatures

Disables service(s)

evasion execution

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639086792631678" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemObjectPath.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\shell\open C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\TypeLib C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 628 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 628 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 628 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 628 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 628 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1680 wrote to memory of 3824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1680 wrote to memory of 3824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 628 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 628 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\FNCLEAN.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4124 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4436 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3060 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4320 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4860 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc096e46f8,0x7ffc096e4708,0x7ffc096e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.0.1687205155\620404844" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c0f628-a591-416b-8be9-4fa4b46f3744} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1868 1f5aa11a558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.1.1259090993\135693298" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d2d4b49-de10-47a6-bb36-6f1e2e427b96} 336 "\\.\pipe\gecko-crash-server-pipe.336" 2392 1f595e89f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.2.2095034817\409581324" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 2936 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e782b676-812a-4735-a051-131dadd4cb3b} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3064 1f5acf07758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.3.262397246\1532890146" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8414e907-be05-4f04-b54e-f39338aeb153} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3984 1f5aede9c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.4.1751320324\1555874683" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4856 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5b13a4-1444-4367-b10b-9b95c2b8b869} 336 "\\.\pipe\gecko-crash-server-pipe.336" 4884 1f5b0f3d158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.5.1106532333\1914084109" -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5080 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e37147d-32ac-4bc8-8fab-17a40f14525c} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5092 1f5b0f3d758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.6.287551704\1466741780" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292e35af-2b16-4b5b-8b06-616a4a6b35c8} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5184 1f5b0f3e958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.7.606134376\416284088" -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91bbb348-9a7b-4106-ba10-917bf300a59e} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5656 1f5b219bf58 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4136 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3488 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
N/A 127.0.0.1:55185 tcp
N/A 127.0.0.1:55192 tcp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.google.com udp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f4e945de22b3b5c6d415a470593ac2af
SHA1 955c2f7bcefb33994837117215ade276f2ec4a65
SHA256 922b6a263ab65f3b339de73a00c47725f5099cce7d809eb2dd15063a0acd6d26
SHA512 7c43fe379170403a609a40d870f245138c336d7ecf1173ddab2e50afbe6e1841d132aadf424478676ebfff6ae2c60c60f1a781bcd086ab7ce47f14935dfd99ea

\??\pipe\crashpad_4324_XVSCWARHGKCFZHWV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 40cc170c129a7436f79f5c3961617e28
SHA1 82b7e2f9fe51bb8cf9f4b0b2a80110907f8f14bb
SHA256 002f7aa2fed71d114ec37146a8ef1463c0f4ca8030e9ff809c237bac6f23ce6b
SHA512 d43ed249b1f453a4e4204fab394685f789c5d30e9fecf6ca412511a3a9590d14fb9c87783bfe5c489ee1f09dbece5b4abf674829486f329d837682307bbb2ffc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f5383921bcb74b35ec440b8a5f28f73b
SHA1 52e15b5611ae5da9a9df7e77d51cddaded832da7
SHA256 71a4839595084b59b3f50d1e10867002b07a0c1710649f1a3ef3be8c2dfdef30
SHA512 34df31815068188f2eb23b9d946371c7ac6cd964df4948987dbf0f5500b13e6c8d6cbb60e0de8502fcdd5aa294c65dbeb15b0022edd60f65c55ee5f37cff6e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9961fe9d150a42743d1c9adc5718bb3a
SHA1 fadf8307c34dd35e953ca91140225507469c3cae
SHA256 6239d54d7e2c7cf8142bdc28261be4ba200ec6a77d7f9deb128171c49992f789
SHA512 ce9317f086b93afbe8276a48a664d59d20f3f884e41fce7d9a4942f1ff1a702df4d4406fd2b0cbd89b12569e9f4f55cb72e011e4d8ab0ee5ad68c71a7f639f96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 701ccd38871e34186c276a74fe51fddb
SHA1 9a4bee485ce065c083ed77ec16daca10514d8e49
SHA256 3fede500908ae10b697ad1feacc63d1b1b0ebc2c5a5850ac1b6a1387d24ef724
SHA512 a6691cc8652b3b05d6e3b19c53065c71e09c5d5bf3dfa7b0d3062a7bd46002af48128e1c7454a6a2ac6950fd03bcaf5f8dcd80a76fbedefbc6703e62ea1cf55e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1596054babe0521d918641b8ca3a81cb
SHA1 8e5544b20b6750fbdb0ec0d16ee6e67162862b0b
SHA256 1a30aeb01e62e8c9fe1c4481cd22b095d991a2425a99a5324883e83ceead0634
SHA512 e35d7f95942ba5ffe9c32eb3d4490007f274d1da97cc63b4318afbb4ab1f7ddf3cdc9dc789e6675e90a7514ba37f5122a9c219da7248a19951b1c77b43d8dea4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3a2eb026f22d6173f91fe6010120cbd3
SHA1 6a381796dcc3654c88abbecc8cc70620725765b0
SHA256 701b06fe1cbe7c9f3ddfb337ffebe43e8442c75463679530c3f4f48b104dcb14
SHA512 1628a9560da46796f02cff4ba5d1f9337e6107d0ec6c751ee1eb200f18c5fd122bbfdd044c5c2a5658018192410cd9b735c987df031d3dd2299b6d44fe4d1ea4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f2a240e3bdf54df12c71264a89678841
SHA1 f40a03b1d482f89cec44eac7ab3f9696c0a3b416
SHA256 22bbcd0f7814a27a088560aa79950b0f6eb3fb4225bab3897851ddbb3c28e835
SHA512 376b48457c3eaca5c7737fe52abfdb6b347aaf375e3b3c2bcd6bc50261374b01eea94c6a3c582aa32d6e0cbf656f8f332eb229c1ae8b8fb3dd06db2b1faf53a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 5e2177b2a19e397e68209180b1f004cd
SHA1 ce4f503ee40c644375557a402e17f567aaa4e499
SHA256 b7b966e7ba11bc07c133e20b36154a05b2af3f929421a7c634ef3e5582d271f0
SHA512 98e1d2e38668f5890e0c9dec0587f00235985bfc527c094100c7882df3deab5ed2512807a5354739e4ad5dcb577cd2b6c64cc8d38d33972c9c7effb24f8ee92d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

MD5 40a3ea2c49066f1a424188e4749c6e3c
SHA1 f7bf39c4a0c588d7ff6eff880ee75c350216d2d2
SHA256 afc3d9613974931cffc68fb78e373b0bf78bef623fceae7f723f65242a55b114
SHA512 cf03f1ed7b88439e9cce630132e13e91a54b5963b7911ed9c5cdda011ca5572b29c2e1a148c86a827a6907350245d777bcb351cb136438bd1efceb96a2e044b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js

MD5 a8d6644cc77973226e22275d5073a055
SHA1 c736f5e27a32466c7eab289b95713d6773478210
SHA256 2d03c4a8857864e22691433ae52932108633a148e8077b2907ca7c6be798719f
SHA512 cb7cc4cd33b4fc0f5d85fa7ce2b7328843b8e0e3625f9cad7b58b9693006cdc250f9ee7b2628fe30bf85aa700a77aaf3d87ef0eec7a7b4bef239220b62fae196

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

MD5 b587d07b8f4b8f12bc39eb64cf33442e
SHA1 b09345686421b902d0a9766a69d9cb08e7618567
SHA256 8aefa1f2682f39977f01abf0bbd9c78658f4cb26fe3bf344aab259ce9b0c385c
SHA512 6e90fa791179ce600cd3aaddac8e34ed7f2bbea3947ea0e158f408325a76010607b122ece2ac648707ac1e455d11c73facc0e8befc0ff5b96f4c509c19dcd6d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bbe596fd36fcf6118ac87d27f27a5c36
SHA1 480fb6fc6621fa6a817638d18a455926e42e41d5
SHA256 f3a51ae895e2922c099e3c0432c1f995274d11a11b0d9ae9ac69b49ee775fefb
SHA512 d3fde3702e780fa89d117d5ddf697b663c46e3ee4cc0dc15ac836dd1ca1a588515a519651391069899d3aa922af0b3b7a65af9126c3dcad57e4bbd6864dcfa9d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

MD5 59ef481b63687e717a451ca45e3df20b
SHA1 97b7adf5931d5240fe6889ef9e69d79bde8d19e1
SHA256 b653e7ccb670902b84f9d4061ace584c6cd2efce09eab8327ab22361f37c6bd8
SHA512 5db2985884334c9e29ed6d7fcd5190380b92c47323a54f60832dd68d470c6911069ca916f4cf3d43f2f86b9244d9bfb9cf556ab77e17b83b4db95369c22e9b96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

MD5 d9a49a7d6d5ca840cf0f0e937007e278
SHA1 90197e483cc1bf8970cb6012997b1968f43d8e78
SHA256 183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876
SHA512 142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 757f9692a70d6d6f226ba652bbcffe53
SHA1 771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b
SHA256 d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad
SHA512 79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 bc6142469cd7dadf107be9ad87ea4753
SHA1 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256 b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA512 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a9b28a1749eb3dd04b41460ec08b8945
SHA1 4c813102145a8ecb0abc509d2714c398d4253ac9
SHA256 b91c269c374b689b2992a4b18013f93cffb9b0f6ee89ae992ce8c56f4441fd94
SHA512 5f56e4f27fa463ef2288efcdabcc6eb4fa405adec2203ae7f0a1dcf64569b05551e917170ddd323967d1ea6ab9e04d17cacfe3fcf827123376de640dd9873f7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

MD5 ae9ae9c7af7e6967000575e8f56b7475
SHA1 78b6522808aae600e60d588b58351a60bb6cfbb0
SHA256 9d278560a112bfbf55b692e0129ff9dbd8622948789f7d24034d367badc00a3f
SHA512 a4775ff0b1fa57aed77daab16d95085d265ff7214a331908787d0bc675ff52aa3dc1a62cf01a040fcb3734d7e3da3d03fe7977c6fb8f2072188b8d4ee064ca0a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\926e442f-7be3-4066-9b81-2a14d7ceb28d.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13363908709322015

MD5 a57ceb9d40ece8a34837dc732f7ca043
SHA1 8a7e51dac2013a2d23ccd6531d69d7c38a469712
SHA256 05c1c66f06fe4e01ef00cff1efe1a1afe916396977098db1b3bee6479cc9cde3
SHA512 b7a8a73acc184e5597263f0f036559d5857c41248c9accd58459b22deb990bb0064bad879920cbd49c201f3590b92e590f17a898a0e29058a49de75e689de8b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

MD5 c61f7f416c01a3f2c08b888fe14e5be2
SHA1 325ace9628dfba74eb85b0330572610163ca9424
SHA256 d496fe87ab6fd3b06dd4577c2b7349f0b8f6086fbbf7b3b98c1cdd7418fae14e
SHA512 7f9ea85c49fbda4d67c39e1ccb2d218ba754abdb9197bbc1662e60107ae00ac8d7f2ba4cb140fba5b48c775f78257ab02850a7ef4de9b98851d024a5a373c0d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 d3417877cb792c1f0853c33a72026287
SHA1 8ba5c9fa11a66a88ba1d1a25b58c7eea34d1dcc1
SHA256 71ac702f6f3506f3d21824826dbcdf4063527d789213101bfd72d67928f90bf5
SHA512 3fe3244eba270721fe9fb033944cc30fdb3fece0ed8d6302abdf3ff56e1f0b3e8eba2c7c1ce66b99ce34efee87128d45035c50834b27ad954e1b07927594efe0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

MD5 c31c4325b6b9099d3fa9c007ad3a16e2
SHA1 686046aae26ce5c5b75e807e48e11a8de74a73dc
SHA256 980856d398501a500254c358b46c06061d6f66f4f5e77ac049625d24500380b1
SHA512 d4c6eb6c29560e60052b1c24ece9a282b51a3374eca307ee3d6a824104b12fbc2f10d14f84a14830e13ed52252616320f2d10075da5d323a30a883ad4863f9fc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 7d677a6317d3c6f1790fab35dfd87b46
SHA1 67ebe03f53d20c77006621f7e7dad14e20097a5e
SHA256 3127fa97a41d333932e477820fbd50172040c2f92afe50eea62c5b64746718bd
SHA512 87e85f04397865ab00752b04348042eb8b07af25a59ef6e1c12225178aa04e8328787b619b3a2ec68f5ca7064ebf269a777d21ebce8a96f84b50ccc2225238e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 c6e39ae33b027fddc818d4e39cf3599c
SHA1 f8b339161866d44e04e003a6f27a9710fd54d64b
SHA256 bcbb7d4eec4f143b964b02d4e833554b381cd2d92976a11bc6f3af70002ec4eb
SHA512 db3ba43a999b220a746337b1b32cf57ae4ca97731d955be1778099c50b710cbf36a890d998b1432606f346aae5cd83f4765b76055b7175fc712b7ccdffccea3c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 039a2d884405ca898624a9d3bdae21b9
SHA1 3af3299fdf869f37af00b7019e184054d71df7bd
SHA256 573670a1d8dc4e0b429da138fe1bc77a8d07a32b8c009caa67e3a124d7587f48
SHA512 f0a3a06b82645335c4a5ee548e82491fa56b2846298c4e068a456e4efe668152c6e2bd558956c27ada1b53ce37f8df92608d8495b72e0816682b4e41bd880995

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

MD5 2ecf1b5fd5d8c3d6d8d8b82715986f30
SHA1 d069acb07aa0c970952c8304b1a39b59ef08cb55
SHA256 7a5bb7874afb57037613fa89ae436ff8fa260303c0e4da85c521dd4bc21d3106
SHA512 0588429a1ccaf26709c9e1f6633b8a0bd43e0e637e90b3bdcd945ea058bdc0ad50ea74f0576769c98c5a625b2517b86ee454c147befc9facb8f835ddc4fa7d71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 b3372c79ebf99bd0b6c4ab278436e748
SHA1 c783873346fd4d6034de37891135528d75011b8e
SHA256 1a8f1ef39bfa0d71652896e2341bdaced7120de9cda5f84ee5c3e7093e413349
SHA512 a988f6d74b243d2cb04e49303a5abd1004435945c2842a419a01dd9a368be242b2d56a5b8694de3a78091ea6ced03a645301803448a63b39796b34cf5dd0b90f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 af4ec2ba8e9b3b34f205f985f71061be
SHA1 4adac5d60b09b420a33cbb99d99101bdd994dc01
SHA256 714b852082dd51df23d05565e8cc4155c146a77bb9d090ce6032f5446ed8837b
SHA512 eec0bb40265c89e3ee4bef128bbf48df64a408c551e8389463a24fbe8433d470ea863cd8f92820bb7a130b6407f7ea331db0cadd9f7844562365442fb8f2c069

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 ee40a5604745eaeb8fdb6b4bc78dfb1b
SHA1 d0bc3faadf2d23e0fc331527a715c6e2401b342e
SHA256 398f309dc7b4e1a45620bb860b591c36e8c7739ec85824160b5fcc666cbd19e0
SHA512 e7daac3e6c8f689ff9794febc97490606590d060cad4d1a317864ac745c559f0830365339a5f3fe23d683e69db089401602bed965cc827ee8c693f4c9d681728

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 009b9a2ee7afbf6dd0b9617fc8f8ecba
SHA1 c97ed0652e731fc412e3b7bdfca2994b7cc206a7
SHA256 de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915
SHA512 6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 82fb1275e54d596dd99df70a32e3b171
SHA1 878b1ed2c0ee67509374c6267bcc306878f39330
SHA256 a6bf4abdb04ea17d91502184b3a984fab7c2b82a645003a08a197fe942ec8a14
SHA512 76ac36f45bad045f4c81d8257ad4c4e7b981049a342d3967bd9310947bb722382abc601359b152347e98e9fc3111e9592eef01105ec901b47bf22b0937919ab4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

MD5 8c6133c716b252cf75aac1752fd81da7
SHA1 9fdf40e6ce52bf0e6fafb5a2c5b9611b9cf148b8
SHA256 c8368b43b19d3e4b9b0f37322c5b475069bbd9699360333f798919e521b765ca
SHA512 fca9ad09bc1cc893cb28fc7e7d55b7b8d3bb852e3b1495081e1f173e272e9c36b9d5f1d9a24639d7f977938c37c8844ba0ad1d271506ffbc1284cf9f3833f136

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 9143e5b13e796313d2eee3908a31e272
SHA1 691b30ba285f07be5c788a1d0d0ebc58f8adc32c
SHA256 d3e2b688603cf02c5468b1f277bdae94acdfc5e593cd89c910d609f8a7e52382
SHA512 ac61cd480ac0ca60d4bee8717c4df9d79c3d8a6ae7d2ece530e325b677ed273cba62a5c17d2a7097b68526295ed0d0a070590527d32abc16908dc98aa0bb5620

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

MD5 a4deb5c60975b6e947658e9b1cf4ec22
SHA1 ea6e0db371bb3249da7c31c6f71add7124844ae6
SHA256 9d4275bef0ed4be0fa1ec6eb14d4fbec133d49ed882ce51ec9e7bc84091bca6f
SHA512 b455c62fe90033302be750aa2b26b6edfec8a1792e294dd747019ea01778cdfcec75c6139bd4ee099018a0b7e6fcb78969de171e0feb935a947ba8f0f9b98a9e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

MD5 ce1b9b0446f3a08ee7da17e148d1212d
SHA1 840ae9cd4338e28e7cb7216a9c9baf2d4bf2a010
SHA256 5525ee31bb7828710b63c9f0ff4e75188ad9abd0f087271b63d0dbe290cab818
SHA512 7f673e16e2017855d0fe275c67184f304a53dcf9be4112e6de5dfcf37f8633fe8a0cd03162de55047edaaafc36a7ea62a9213744e6438a187d5cdaccf7140af1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

MD5 8a30a1fdd0459d9ea8b1e78a8e636856
SHA1 9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20
SHA256 88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33
SHA512 b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 80114b107e54a0edabedc2f2c318bed2
SHA1 422c8a01f10b5c3eab4b2d06c9086f0a1f5c015f
SHA256 f6a4e2fc57f42ec5f7b7bb6f22d4eb342636eb88c6d546e30524f7e76ddf980e
SHA512 95cb69d67ddd927534960b5f2d9d74d03d4b88345946ef64dd19495feb9e8b4c98f9243cd7abc99e325a530e26f4408c84f576806e3fee90a9059b63d7598dca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 24a6403967b6810f33a87ad0087049ac
SHA1 9b62990d94e668b7abd582c110b811ebfd0d6511
SHA256 192663cc1b1dbe6ba14bbba5b7ddc50384f69400065327f79f5fa4678e3a5a78
SHA512 40f4dce238e7f22a7898877d340c87a7465853430de2ffd422e8efc74a086b3cb2a7e21d510b43054a9d10af10784a47bb2c5b8f3b6f6443e1adb59bb454214b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13363908678438015

MD5 b29171c93e4bba12f9439404dbd77335
SHA1 0e6f2a70b8c988fa3bb7788994eea014eeb8bc55
SHA256 e371cb9a9346f53bf397e99b9d01166570cc46054c7564a2ab7a898f545d9fde
SHA512 3f434c9b1226ea78ce280c4c6d30d3d783f336fd4ba54d8062c3c2f0c505ba7fa8e6bf93760f68eabaecbafe5d55821e13e8307dbdd24f4438a500a2adc22f0a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

MD5 ea6e60354b61a9d62f1a0bcfd432f8b9
SHA1 f598436e5ac6c9cf042ab751e80c739fffac7cb4
SHA256 659a0eb34b709f718bcbf30cab06e8e491d290424694d7bc155218f2290ff8ce
SHA512 4f1818e4c7151ed5f8784a69f48d8c11e327cc9ea5d53ef7510529ef4991266301121f5bf70f2da84f9e0ab8d189a3aaaaa5901942aca39279d08139ea4c2838

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor

MD5 204ce019e13613657140319709ae07a3
SHA1 a877b074e3acbf37c29a33a8fd2253495dc22fe0
SHA256 d76f87d36072ec05a0486e16f93b0ace77c7988204c30a896aca10cf43bf4765
SHA512 ad094524cd04e00b748ac389e98f104db9488c0fda7ac961be42d15eb4dec4efd8a08ead7674aacbead5794de855fd1749076cd0cec42917722c15229774a38e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6d8865e321af157f2726cb05a5652366
SHA1 cbdbba158e9082a28e50516cfb9c57096147e950
SHA256 d0cf9cd9bd24aebf033721ce2e52f17815b86b89c8a67c0292b1b897a2fd60d4
SHA512 6de779789cc7bc8ed691a9c2a8343c6eefb315bef2c47713fec038bceac12c70de1005bbf9934df01dab54e54d8782eb868f8a7c93d655269c23e57313478254

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fcdacb12563ec642dfd88835f3d0b3ef
SHA1 b4ec1d2d9a1a74f9cc7070cc291b0e5bdb642bbc
SHA256 7f4a652fbe99cd9c8bbc07eae3f13590b67b4e94fa9606d15b68410cf84a09b4
SHA512 7a066ff4e43ea8eaa4a8d1b46a3c3efe9256c9891f338285ee96541b287a74c9f1d4cd9ac345ec2bb377e0c7517f7a47304032846bef8c487510675bc2fd4cf3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 ab05a6f1d865afafe17aae5e1b588464
SHA1 e8f88f906a91a13cd13b834209f93eaf1f2f61d3
SHA256 bd85ea17b642eae153e5240a1041c0091117dc761b6ba05494de98725ac91fa7
SHA512 01f9a9a8b4e8573412d1f388acf681c6bb07c7a6bd46b94eadce3f6a6cc1969a3aaee54fc32c40a9f71de5d605c56fd0eef29732e2881ddf1d1959ea56198aff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:55

Platform

win10v2004-20240611-en

Max time kernel

222s

Max time network

274s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGuid C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\DevManView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

234s

Max time network

254s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mcicda.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\mcicda.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

2s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"

Signatures

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1080 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1080 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 1080 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 1080 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 1080 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 1080 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1080 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"

C:\Windows\system32\netsh.exe

NETSH INT IP RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE IPV4 RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE IPV6 RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE TCP RESET

C:\Windows\system32\netsh.exe

NETSH INT RESET ALL

C:\Windows\system32\ipconfig.exe

IPCONFIG /RELEASE

C:\Windows\system32\ipconfig.exe

IPCONFIG /RELEASE

C:\Windows\system32\ipconfig.exe

IPCONFIG /FLUSHDNS

C:\Windows\system32\nbtstat.exe

NBTSTAT -R

C:\Windows\system32\nbtstat.exe

NBTSTAT -RR

C:\Windows\System32\Wbem\WMIC.exe

WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat

MD5 95e33c4700e0c94a4225251858b8bf49
SHA1 116d458fa09f1f7338a6303175e26e94e068c560
SHA256 ddab15d142c77b1c060fed8d8561dadb7e2d70615a096b83e9299f5d4c5d2706
SHA512 42c65d35ee3b7c05188814aeb8717a2e6d18b14085bb824debe1819e5119f82f1de08a1c8c13d159f2719e2ace314e209b9992abb5e908588ca03af01a91b370

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe"

Signatures

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 448 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2180 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1152 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2180 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2124 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2180 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jfg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /release

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul

C:\Windows\system32\ipconfig.exe

ipconfig /renew

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c .\reset_adapters.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

276s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe"

Signatures

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1392 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2960 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3332 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2960 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5062.tmp\5063.tmp\5064.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\cpuz.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit

C:\Windows\system32\bcdedit.exe

bcdedit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/Error"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Store/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\5062.tmp\5063.tmp\5064.bat

MD5 064bb52705e97caeee4dcbb5c72c1413
SHA1 13107d14185397ad662c08dda51a0ebe7583fbe8
SHA256 a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26
SHA512 af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

222s

Max time network

207s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lz32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\lz32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

0s

Max time network

308s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3644 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3644 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3644 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1936 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3644 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3644 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3644 wrote to memory of 4448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\System32\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\system32\findstr.exe

findstr [0-9]

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\system32\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1E4CBCC388F6 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\System32\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\system32\findstr.exe

findstr [0-9]

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\system32\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"

C:\Windows\System32\Wbem\WMIC.exe

wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv

C:\Windows\system32\netsh.exe

netsh interface set interface name="Ethernet" disable

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat

MD5 8ca2de2e300d0f8b61645529ffc75551
SHA1 058f24d2ed2016d5c8a137a5853065dbdfded102
SHA256 11e99c0caedf2b03d3c9e10c4f533a5a5a02054c0b4640e54463722474f90464
SHA512 0fe3044f7c1c4a00e4365a3f3d97489fb3931626872fca77b0f9e17bdac42ba91dd09187ea1fc2e6f1b103f608b1d80faf45d63478a22a8788b3ea9d7f6d1885

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:55

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ARP.EXE
PID 1352 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ARP.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im EscapeFromTarkov.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EscapeFromTarkov_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BsgLauncher.exe

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f

C:\Windows\system32\reg.exe

reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23565 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 22895 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\ARP.EXE

arp -d

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat

MD5 cf83e40a1338ad5be3af61a5f882664d
SHA1 479a7b4bb38725f7949647161017d42fbd630ed2
SHA256 5f283ef150cd3675af8bb98ae1f270b153ef7c622d9cf86b5c84288edf6743d1
SHA512 dbf2ead0709bb6542a45f6dbc304ccdd8bd0929a48754880a0dafa18d32b427e1d416ecf695bcebda5583bb37632781bd15fb0fd1c0bfbc584dcd05916604e4e

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

270s

Max time network

279s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\fsutil.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\spp\store C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\restore\MachineGuid.txt C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\ResPriHMStaticDb.ebd C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATESETUP_X86_-A43309D3.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\AgGlGlobalHistory.db C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-C4BB17E2.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\INF\setupapi.setup.log C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-E30816F0.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\VERCLSID.EXE-7C52E31C.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\AgAppLaunch.db C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-96A7E1CF.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-56E309E9.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\AgRobust.db C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
File opened for modification C:\Windows\Prefetch\AgGlFgAppHistory.db C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "337e3303-dfd9a03a-a" C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = a01605f6d93e56e9 C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 3584 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 2272 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 3264 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 2272 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 3740 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 3740 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 2272 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 836 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2272 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2672 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2672 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3064 wrote to memory of 4136 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3064 wrote to memory of 4136 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 988 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 4988 wrote to memory of 988 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\WMIADAP.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /d E:

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop winmgmt /Y

C:\Windows\system32\net.exe

net stop winmgmt /Y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /Y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

170s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe"

Signatures

Disables service(s)

evasion execution

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" C:\Windows\system32\regsvr32.exe N/A

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\AutoRecover\B00FB74CA11300E102C8BD294F6829E0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\55AFD5FC355BAEE0A5E9A1393CC477E5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\85E0871D8075E919F55DCF2DFB641E6E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6B1F2DE3976B69AE13C438DEE2C6EBFF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\35EB6C02B117E434146AA8FBB46726E5.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\61EE6F125EE84F973323047E63234C4B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4A11A3EDADA91AB03265FADEF0200D75.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C2E802292DC93400E19D1C12F90D0AF6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0A9B9F39B61FEC73EA8A27C11BB272DF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4A870B469F34065CA18AB1FDF6312BDF.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\7BE912068D7A19BFDF3D3C5BC12E7629.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C154BBEB58D93C7D77FC22860A1C9C96.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A9504475746A00F21135DC17FF7DBCD6.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BB8DB31CD558B86889B6CACCDFE45A90.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FDAD11DA772B0E5564617898F2A02617.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8636DC7F9479DACE6778109CB4FB4B01.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\6F096B7D28A95FE5E8A47222B749D137.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\21A91C51247EF25C7B76A7BD92E72AA7.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\18AF8463CB6C0D2BCE6F124B85344B8F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\707EA99CEA3ACFD4EFCBBF42CC729B41.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C516870CE658DF2E471B36157EBE5227.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\11FEAE420A4698D76F6D8B09A28F5DAB.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\40CD8A341670967C555998737DB91D5B.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\FE084724C4570F004BB748191F501852.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\0AE46452A0B3D007DD847D7722347162.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\8C758694767A6F90E85D060DE0636B66.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\DEEDFA8A96B3396FC0902AF10A575F0C.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\45D7D3B7EB0F350515C83365C736C679.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C1BF66EB0451A8CD07AAC77EC68A4043.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\647E7970BD0F5F9E661068CA6CA7F397.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\92A3E2BF6266CF87720E211CA012ECE7.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\453A436331E0AD94D090421533AB4834.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\7FBCB2ADAF817B3D9CAA1BE9E18B2495.mof N/A N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\F2ADD0A29CFF4D0576A3741D9AE1C8D3.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\5C6D12CB3AB0D3EDC8D28BCBF9FB244C.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E85AED94F7A581A1A02F7322094DB3D0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\A2D31C6DFEE120FEFFD73724708A4827.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C9824ADC136E4798F4F76A6D48117DA8.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AEAA953C34E29428F04D9906CAFE2169.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\46085E5E756C882D3F6F01D32A3F8D24.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\2AA348C4498C38E2242F58B3308E99E0.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\E33980A0BAD9CCABDB2824A369E52141.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\BCA37BEB911082EA5B73C872086A3B8F.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\32EDB8E30FABC609FF04D61A0874F112.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\3EFDA7C55DEFD2F318D8896068CE2363.mof N/A N/A
File created C:\Windows\system32\wbem\AutoRecover\44508344C91036373A90B667F2C4D1F2.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EDBF963FB003D0670AA9C2219BD091FB.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4BD8FD21402CA06647542C55D47F6E47.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4E7FA4A0256D91829AF21928EC5BC6DB.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\4D557966BDAFAAC1514C928A826375F2.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\B6C73E699C04F876FE75CE460B046079.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\D911EF9E5112E7DA316F0A12476F1ACA.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\5442505746A43B11366F9F8BFE38F703.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\28A02B0A6F3BEA0572B8F35350D88657.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\AFDA9D2CA693B44A2C46D80A3E311ACD.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\9635AD802704D06E888CAB79ECF17188.mof C:\Windows\System32\wbem\mofcomp.exe N/A
File created C:\Windows\system32\wbem\AutoRecover\EC5052FBA2CBD13E0EB25DC4C89850E4.mof C:\Windows\System32\wbem\mofcomp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\regsvr32.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini C:\Windows\system32\regsvr32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04963311-C399-408E-AD51-05D01506EED0}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WBEMComLocator C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8EC9CB1-B135-4F10-8B1B-C7188BB0D186}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7D35CFA-348B-485E-B524-252725D697CA}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE32-7500-11D1-AD94-00C04FD8FDFF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\ = "WBEM Scripting Sink 1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC9072AB-C000-49D8-A5AA-00266C8DBB9B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Clsid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B38-CCCF-11D2-B35C-00105A1F8177}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\CurVer\ = "WMICntl.WMISnapin.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92B9503D-19C3-4181-9F42-57FFC1A4BF37}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\ = "Allows configuration and control of the Windows Management Instrumentation (WMI) service." C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemSink C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{580ACAF8-FA1C-11D0-AD72-00C04FD8FDFF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer\ = "WbemScripting.SWbemSink.1" C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4576 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4576 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4576 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4576 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4576 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3264 wrote to memory of 5084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3264 wrote to memory of 5084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4576 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4576 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Uses Volume Shadow Copy WMI provider

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\39C8.tmp\39C9.tmp\39CA.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs64.exe"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\sc.exe

sc config winmgmt start= disabled

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b *.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s appbackgroundtask.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s cimwin32.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s DMWmiBridgeProv1.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dnsclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Dscpspluginwkr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s dsprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EmbeddedLockdownWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s esscli.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s EventTracingManagement.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s fastprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprr.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ipmiprv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s KrnlProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMAppProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MDMSettingsProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.AppV.AppVClientWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Microsoft.Uev.AgentWmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s MMFUtil.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofd.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s mofinstall.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msdtcwmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s msiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NCProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ndisimplatcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetAdapterCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netdacim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetEventPacketCapture.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netnccim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetPeerDistCim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netswitchteamcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s NetTCPIP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s netttcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s nlmcim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ntevt.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PolicMan.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s PrintManagementProvider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s qoswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s RacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s repdrvfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s schedprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s ServDeps.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s SMTPCons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s stdprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vdswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s viewprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vpnclientpsprovider.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s vsswmi.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcntl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcons.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemcore.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemdisp.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemess.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemprox.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wbemsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WdacWmiProv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wfascim.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_EncryptableVolume.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s Win32_Tpm.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WinMgmtR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRes.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiApRpl.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMICOOKR.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiDcPrv.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipcima.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdfs.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmipdskq.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfClass.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPerfInst.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPICMP.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPIPRT.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPJOBJ.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiprov.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WmiPrvSD.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIPSESS.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s WMIsvc.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmitimep.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s wmiutils.dll

C:\Windows\System32\wbem\WmiPrvSE.exe

wmiprvse /regserver

C:\Windows\System32\wbem\WinMgmt.exe

winmgmt /regserver

C:\Windows\system32\sc.exe

sc config winmgmt start= auto

C:\Windows\system32\net.exe

net start winmgmt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4556,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\aeinv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AuditRsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\authfwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\bcd.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimdmtf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cimwin32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\CIWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\classlog.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cli.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\cliegaliases.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ddp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsjob.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dimsroam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\drvinst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dscproxy.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\DscTimer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\dsprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\eaimeapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdPHost.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdrespub.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdSSDP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWNet.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fdWSD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\filetrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\firewallapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\FunDisc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\fwcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hbaapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\hnetcfg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\interop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipmiprv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ipsecsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsidsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsihba.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiprf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsirem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\kerberos.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\krnlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\L2SecHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdio.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lltdsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\lsasrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mblctr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mmc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mountmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpeval.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpsdrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mpssvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeeds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msfeedsbs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msiscsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstsc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mstscax.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\msv1_0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\mswmdm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ncsi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ndistrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netprofm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\networkitemfactory.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\newdev.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlasvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nlsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\npivwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\nshipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntevt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ntfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-mesh.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PolicMan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polproc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprocl.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polprou.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\polstore.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\powermeterprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\RacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpendp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpinit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rdpshell.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\refsv1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\regevent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rsop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\rspndr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\samsrv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scersop.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\schannel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SchedProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\scrcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sdbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\secrcw32.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\ServiceModel35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\services.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\setupapi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smbwmiv2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\smtpcons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sppwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sr.mof

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\sstpsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\stortrace.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\subscrpt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\system.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tcpip.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsallow.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tscfgwmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tsmf.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\tspkg.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umb.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umbus.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\umpnpmgr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vds.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\vss.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WBEMCons.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wcncsvc.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wdigest.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFAPIGP.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WFP.MOF

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\whqlprov.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\win32_printer.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wininit.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winipsec.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\winlogon.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Winsat.mof

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wlan.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WLanHC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmi.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipcima.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipdskq.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipicmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipiprt.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipjobj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmipsess.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmitimep.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wmpnetwk.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdbusenum.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdcomp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdfs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdmtp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdshext.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpdsp.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wpd_ci.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wscenter.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgent.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WsmAuto.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFx.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\xwizards.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D17F2812D61D6A27510A5356CBCB2C6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D39564B78F00E3F6ED4B4A5662781B2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D3D7B63AE783F3DBBD4FD9F43301BD1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1D8E83D3077F05426D7F5E7C92A52BC2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1F539B7D89D5675D5FBC71A5A1E7C62D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1F5D7EA255DEC718E6C93AFC61039C12.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\210892B3C5033337B5C4FCD68AA35128.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2215A345459824E0504DB85AEBB502CE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\23FFA2BEE2CFCB552EEC22762785E6B4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\28DFEEAE5E755E081510079AEA4BA2DB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2A2AB14E79261C4C2272F4B50901244C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2A8F8C0C68BF867A9E2A7AB38260A4F9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2C688638F731D0D535DBB9DA2F979753.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2D1A849208186237BBED16B3B5D7238E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2DB099F474FFAB578AD726E4F2905FED.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2E60A4684212330C61E1E8704A619754.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2EC8433E19B30A13955120CB32A18CFC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2F0CC20947142CB05C49044919898802.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\2FA567F6FE2F89694B594B3FAC75D6DF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\30A5229E4F736548D2D9FA13F92C9A82.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\30C22E5728F64CE0E1605A4A77934948.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\30DFAF0BD5AD387D985719F41E186AD5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\31998CC82EC1ED985097054B275161ED.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\32057A09A1167F6F66F16DA67DF1C918.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3209C3555EE020AE8FA1C869C6A591D9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\320EDC28FFEC3C708AB2DDE6C70FD624.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3281CFB9A42D9486C40C0A4D010D65E6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\33295A3A1D28CAE3DFB6C5167CCAAE6F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\36AC724DE559C5D39EB46462A440D4E5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\379E5EC415D0E0A49EFDD4B3564BE048.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3A75BC18F00746E3EB756A5A8AB71D56.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3B60B0417CAF81D69389063C334577F1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3BBB431B659936EB58D4574BC05768CD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3C03DD39D967893238742C503189BA92.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3C11F3A2BFB9588C467B72E02345362F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3C90AAC6E581F57E99B164C33906BD30.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3CA3E3E8C27409E2288B236F5F414F56.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3DA405CE6ACE7B7A8320D68D317B9729.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3EB36FAFDAE870DF05542C0B4AAAD7EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3EE2F37B4639F4307BAF0C707B092F7C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\3FFDD473F026FB198DA9FA65EE71383C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4001CC0C4B56CFDE0493013FC1D9DD0F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\407E61D88570FDFD5EC8891DBF9A3EBC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4136DDD03841D93F3D820441F60BE055.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\413CED83449192A10E66EAD24743140E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\42CB2CBBDCBB0DB751E51FF6B279C524.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\430091E25BA6C7FE2FE5DC31776BEACC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\435FA4D2CAB38A1853F91A3BE8F89D4E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4371EC94BF996AF79B062599D10C927E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\43EDE2715871F08D0BEFB4C9DE69E247.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\441A12A68AB1A20902A131356BA4CF30.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\44B487D5879BCD6C593C9066936D12AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\44C46B87678291B7CFBF7D8A6452D98D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\45277ADB2DA919AFFF18833506353174.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4552656C2901FB1533D6679D49B69929.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4561B54041D5F414CB02373F78461708.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4795058F848A6BA6FE24E0530CE2E2DF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\48959878DDCA03B0FA77D806C7C5D743.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\49C04C47AB946E0864486F81F6E251BC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4B69CC652B5189D5B2136DFDC5369593.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4B95063FF713676A54E7221DF8245C78.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4BE30AA8CC2C4C06B41336B9B3878B1E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4C3FFB127B4E9B67BFACD89178DE3DA3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4CCFEF2D31696D11C8735BD7C8BE14B9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4E8CF66DA5DBCEE8F47DFDDF0B14DEC0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4E941341E008BE47EC9639A14271EBF0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4EA32ABEBFE9B0697C450693940F1673.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4EB0E9424AFEF8E5D68D78C36620E253.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4F4AD4093274B7A7FF28CDBD5AB3032C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\4F7C501B863AFCFCE3AE018AC07191F9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\50B277BD2B3C116DBC38CC2D1EB7D427.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\50E7AE0A90085737B8F04CDF9460DBEA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\50FC9EDA1918FBC981D89D0390125308.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5241D310A7F9B793E5E9EC39E65B7B44.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\52DF56A47A08AD380228C64827D24548.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\531218B396F02B35771F8AD1965A574A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\536E5C7121076D413E48A32D54E26EA3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\53C2FC20B111DA763C20CFDAF7624A26.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\55B1D144C8C3666C687E454A80906ECE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\563EAFFF3BF92CE3F60EAEE4EB18BBB3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\57985F4723464E47CF133A601D28906D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\58766C70A633CC3A5AC9393E175CA63A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\59481CB78111FB31D37EDAC9647FAFD8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5960F40D2AAABA9E743AFA7294468C25.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\59A5343CF85A83AE1E7B5EAFC71ABD66.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5A7BC66EEC954487F6D9911DEAF052BE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5B18367075FE563AF4A12EA837278D84.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5BE557A291C3EEB7FE628D8099DD0CD3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5C81F6E368BC71D1D45E2D9206EA3FD0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5C8CE9E608C8192171A5B93767FCC960.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5CFEE986112963509926EC8912E14D25.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5D75A4D5A6D14E6061698FB7BED0446A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5E69759D567F673B36A59095A347BF07.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\601C41633EC4EEE1FFE41D65491BABD5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\60B3B69ABC4366405469AA15F5B33006.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\60C90B334F5FD0AD576CC5FFCECDFA9C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\617D2BAEB248E81618E2D9342B7323AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6199F396C445A25AF1DE1CEFFF072560.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\61D0174ACBF8E43615E6DF8019C0583E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6340973172727B5EBAF0A64E92C26B73.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\63B2501D71A2DE162EA12C3CACF8C488.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\64B4796A957F50D8E37415358DC4011F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\662DD1E431BC9D4EB784D7D662BF5114.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\66501D267ABECB2CF3315642D1881501.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6717E3CAA50A3943B61329778C1DD781.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\671DBBDEA9073F2E4CCCFFF6957044E0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6780F8CDE9A603E0A830C9603F2F4D0B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\687CF9D31E514545A07747EE9CC567AB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\68882E3FA69BD52620343D172BE84815.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6BCCCB82E5792A665667D7E41CC45168.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CC07C0289722A5549B9C30F76C249FF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CC685AEFC129C8DD86F9036F17E943C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CD4AC2A2B648ABFE8F2F90A5D07829F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CDB91CE30082B98FE1BEE23E422804C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6E5FACACD2BA0A27C7AE761291F7BED1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\6F606DA76B5A34FEC3A95B874DC14C2F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\70138AC07076B005E1CFA39BC5BD9175.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\71E680EC580A0039A775A378ECD836FF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7282BB1A61AFF7E0656732EE80CEB6FD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\732BD24D0DF3B5E7191B301E55CDD6D6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\739CB6904442C4B4092104AACB73DBB0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\73C8F1FE9282D72F1684DA13FF1346AA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7450D0DEE62770FF1E5C905B1BAFD42E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\74AF2F8E62D0745F958B573494C439C8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\76118EA7CDB4BF4005AD84DDF6CE2E66.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\76367CD152E34AC3DD8007741C968AF4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7716BDB243C38A4A24E728B3817AE0F1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\77E1FE7C589B0FE237874F7EE517A0C1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\785C9F9CED5D122AD92D6BC91312F7FC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7891546B010C902B9C8DE33F55F71498.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\78C249F8A099AEA6A25F33F09F50FB47.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\79EF8F616077A833BE2747809180BFA5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\79FE6B25E5B132F33880B7F44A66B758.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7D8C933AA5FE34FA3316DA4B6E09E654.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7E19C857E35FA8D70E57B0F1CB21E5C7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7E856BB33FFDA1141B90AC29735FB9FA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7EAB83B6B5BC37690D2D1B3E22DF7D9E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7FAB1F3A2B36D6EA27A3DB4EC39C7BD0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\80571CB6E9439E1C98BA9AC3FA28D3A9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8096010E847A7DE3A3F69A61002DD563.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8151A5CF9B90099D16EDB3EADE4C8CD3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\81FCAC08918AF581FDCB45931E356981.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8243D67DDA3785DAD59ACF70CFC203DE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8266DC592F01723A90239C659F1FA6C7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\82DA351296066664DEB012FCCF6D07AA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\82DA415A8C75204A2D758E6DAD53BC36.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8349431AF468BA55DBFB84FC50CC17C5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\84EBC179129822B0E00C47B7528F1FDC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\84FD82C473BCBDEA6CFCD53DF80D6022.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\85917F125E29280A85EDFCDC3B0C8170.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\86F4330E57637679ACB9F17E5F9481D1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\86F83A7235F3DC2A6FCDEC052E1E1C74.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\87218B3AEA759A53DCCA78D6B9BBC66F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\875B0EAE58DBE30E13A8DB610457D0AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\886EC825992F9DCB7AF34306DA80E12D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\88C20208CDD4638C0381F2B7EC657564.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8999FA8F96032A452671DE654F9BAD9C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8BF0E140F8F40D230143B569A1BAE507.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8C11323D7C773C8A79C1C61EB62FE331.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8CB4C42331F0F4BBCC8E1580131EDCE2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8CBA2BE847D0B28A440C5F24567B0891.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8DB46DD597956632ECDB18D7B2BDF70E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8DB9DE86229327C5777721E4A01FB6B4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8ECBCCCC7B4A9C11EC33A03B6E25EA5B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8F1ECB08E7908F5D543B0D9386C0EE1B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\8FCABF54BDCC2D55C8203E3B81BAC5FF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\901B1F181D1D82C168094975DEFB52F3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\902F9B116F0B37B699E9A1D4BB1E2784.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\90B516E096C71C814FF03EE3F4B20042.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9476FC534A628F39C9E25CA2F2B7B45E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\953349B5ECB359DD058D07088EA31408.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\95C6129A16411671ED974764CC24C800.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\960C76B3B2B322906970277571EF6F3C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\966B95F249EDF54D9BE98C23AD9B758A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9694C920807304FD0F9730304298FBFC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\97479A7EBC4B4FA9A0F0C7EF9A25471D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9787DADF23D03D83A63DC8237E63E3EB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\97C10655E91CC076C4E294C0127D974B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9823053171CF53F4038B0801004F87BC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\98A650FE1443CF2F953B6628EE432373.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\99BB0F4219E2381969DCE76BF639AC68.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\99BFB05D8CE546325B5205C32233A3BD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9A977B776702BB9FBB29D1FCCF5F778B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9B1ABD0CEAE78416529CB8D77CEE7B3A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9C44AA8B16C47059241530441BCD6DD9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9C531048714B59E157A371D1186F796E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9D40E5B032950BC9770539F90AD86275.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9DB628ECA9373F2BA3BCBB592AF60665.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9DEA7F87EAEC9FF8770E55D5A6D8CC91.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9ED719089FF4652F4929D88C64B6A1AD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9EF608904C4706610FDA20D08530978E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9F39E54D6756FE5D64BB6FED194D0894.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9FC7214EDE76F8AE24F96A8195852557.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A03E3718C1B8425EB481A1EC4850275F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A067787F4F1B728DE125898181C42609.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A0A63361726BDAE3BC29B11F7526AFE6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A269D70CB8C799952AAD6684D1506485.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A39A3B3270FEF11AE8ACF901E67BE359.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A5B62AD916B641B7A8365E1C7C9C7544.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A5E0C63B1E67223D493A65CA08D7339B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A71089353F923E1FA26964C3E8153739.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A7D7570238274B86C73F2E9009BDF74F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A808A31E629557CF0D5F92D5D87BD706.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A837677C21EC0ECFEB9B10CCD2FEB0E5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A97B345CDEAABDA620BFB72AD2A07100.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\A9FBCB4593D76446A380C3F3421BC2A7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AA10CCACD6B301F2187572F1FD684AC5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AA510EA6AD14A8BE52A7D659281F9BF3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AB2AD61FC9800DD5C7751E4270E02730.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AB545518DC0F250493CCF5B36A459568.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AB947196AECC60D0365253863489134A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AD4ADD965106D211E524A76F9B368A14.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\ADEE1E4F403A605328D0002B7C6CA9C7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AE796E3468AD0D0C250FAA45259E22DB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AE8C8067E61E868B002C481CE87EBE05.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AF451AB4377D22C64822DE9E01B1F4E8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AF45D4D704EA10EA55742D1B3C8C6CE2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AF8191ADF52F4156FF8D54FB39842A54.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AF83007CC746311C7050A636C44C02DA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AFD8B7D322EE2A1CB2BAF41EC0ADF626.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\AFF15E95C194C0034BFE43E5853DEE63.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B0ABD547895829AB29B56F0812CBB823.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B0C53BEE6C437337AB024CECEE878418.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B10EF7584FC5D16C42403B0CA5BD4DFF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B25479026E9AAB36CBEBFF51AA0E32B5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B308B28244CE4219C4C6B3315FA83200.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B48FFF8D8BB2AE842F6650E8DE95B954.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B54261EAEEB4A0D8DB966E20CBEF7E52.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B551DA824528E06A014274837CB2A9CB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B5DC6196F95A004EDD1453C12599676B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B6752671A157884075FCC12BEDFB4D69.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B67D454E426E9AEB60ED08DCC946B44B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B6AF1E27DD1C8095A2887A3BECBB76EF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B7840CBF63A47839AD6AD9F714E4D9BB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B789D76E1E0DE4569B56F6FE22E05621.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B7DD4F9016C2EF03ADB325C37FC76454.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B845DD492B0CE12D87559CED569DE6B1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B8870014FB74FB540F3C31EA907A2AE7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\B9B14FBAD84A7125C53EEE7706842C5B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BA42233C2B9592211C49858860047F3F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BA4AF8E4FEBF32A044146607E11B336E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BAE93F9B141EC7983B2E3379E3E9119E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BAE9A5FB11B68C3A726881B291D669F6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BB9039F6B76054E97E7EFE906C52DE12.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BCB9C29787770EE14EFCAC19CF508F66.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BD5A24FC505850E33FAACDC4DBFAD85D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BD818313E410FD46A9F63786A32AEE23.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BE8B60428F91B5F96E778F2B2C2832A5.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BE8E9D8246C687F5C062F5D47DA1199A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BEB55E5308BFA4DC17987F4D0DF04295.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BEE3F1CC0769E4FD5954E4E649614722.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BF15B53EBA3B9699B34F0453D41230A0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BF7B61BA8D8284B7D0DA637AB41F6C96.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\BF7BF74A57B2030A3BB9979E14C311F1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C03089ABF5861ADFD1F7C923D2F9A153.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C08E9222775EF82A98E5CDD931ACC633.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C09DD3CA03ADBEEE3ABD0ADF668D9848.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C0E71AD79C7DB91864FCD17ECFDE1E10.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C1A0E85153900845F7BA78472B952007.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C1A41FBCA25E3E6CC4CD22064882728F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C1D36889746E38D1BC7C314F51AC80E6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C1FA58EA827D44CFBEE4F63536677F65.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C23F41A19D7EC249FDA170C05916CB8F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C25A6E589BBE06A55DB5B350B80152B1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C274B92CA0AA0BC1531712AF28602FDD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C291730B7DFE0290D98702FB8F8B0F1E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C2CD968A064AA98DCC1CC37592A142C7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C304206E30795E3A6539B5DF349C4270.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C39C0F5D0934BAE90B29A93BEADC257F.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C3C4860D945FD1716E55A2D7AFA8C55D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C3F80855FDF5A3E423EBABF12EB64064.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C40B30214E633F7974F2729FAE1BC67D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C54E46EF4D4F454E2C3ACD269B67494E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C55F973EDD4E17F6A7CA6F8DC77AC2E8.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C5A7A3340CB4BCC7A5C994052DAB1A78.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C67614C3E48ABD4BC9E709E2CEB2CE53.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C685465F4F6FC210421DA7E9DD550821.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C687C1EAD6B670CCBAA60909B89F62CB.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C70550846DA118E1E660A10136A7ECA7.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C77491DD5CBE96FF7C3528A0FD4A1410.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C7999B0462D8EAC32E2ED3A9D0017C97.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C7AD207ED7993A4809373AC7E5784F42.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C8306578B5F0D111675384D271B4DAE3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C87E3190BEFC663A6A04D6D857ABE30E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\C98344F72C7B0FA5F30F1BF6877B4E25.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CA1BF3536958E01F710E5995DE6EBE31.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CA519EE48C39BDA3C1538E5565C377FA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CAC0434A24FA3D5F69B4858EAA050C64.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CCFBB6F691A0FA96C5B605CD9D80173B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CD3047E52420EB014D24A73F8DD48F55.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CD658FA16F96D4466BFE68FCE874D955.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CDB59C31DC153347DDACAC08113F8015.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CDC6E4754252FF7D0E8F3C134D265A60.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CDDB319981A500F42CBEC98CD2362007.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CDEEE4A36DD31A28218DBF5A1A529CFD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CE096445AF8F836B82205BD4E80E5A94.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CE7FA5E0DC28E4C7BB0A2AA22DE05392.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CF3C74ACDD4465D23E06A73A9D97DFFD.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\CF4667947FCFC2F62078D3B85CE7EF10.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D003EAB9BB96C7DF227404C6B2582455.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D02971809B01C7E099D44E7A1436F997.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D05C15A4875D58D36F57187E7FE4496A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D05E5243F9713AD9C0F710C5DE549BE2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D06E9123D0C50409B7B9F35A8222CADA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D0E5935486BD6AD49D80F66B81B985DE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D17469C68898749E23D53128870A755C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D1C240EDA191362672EF6FCCB9725F85.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D2412702F385FCB9E6709FB33EB27BDF.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D2EF06310A52FBA8DF0B6BDFC0D3C664.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D2FA07FC4043B26B5CB97692C2AAFF12.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D3B2EC2F727A45FED5DC9D6BD0BC833D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D48232953788C625160D278B29B5D73D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D4D422DBE282F1B12C3A82517EB0D59D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D4F56CCD124A6B24576AF721B0282383.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D566F9B651B60AE7D0B5DEBF57A90E35.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D64EE91A31A31FCBEAA727029795B289.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D69C7ED8E3B896ACD98229CB4DC363B6.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D6F45CA88F2F5527EC301A7FA3FF5B8C.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D75AD6809E604BB6F018E54A8482C928.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D7B94FF620323D536A3B99CCAA6B78DA.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D7E06DA4457A14F49A9A996F22881130.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D8401E2EC2C3AFBC1A21717167BA8734.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D8D1C602836BEF743D38740FCA8D4B8B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D92BDDCE5396A2FDB5F2208AE47E7CE1.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D9D86DD1D8501C39B4325827BB6F2270.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D9DD8F6664E786227542BCC5FCF66D2D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D9E59C2E17E0CE2AC75DA8E34E9214D0.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\D9EB7BAFBC23534E43B93A69CFD89687.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DA27AF57C09E80A784709AD6239EA23B.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DA54B44152345FC1E1817702B2A34D5D.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DA5B702F94B3636728C005C0E5C0A6BE.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DA736886F13A0E2EE2265319FB376753.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DAC96F2A49E2484740F118A3CDF28EA3.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DAEC8125C10A9D1FB182920A9FDE141A.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DB347A2F84FBE8E0965F9BCF8D6FD7E2.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DB81A681168E125300B192421B05FF69.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DB9B568A06C456FE484FF58A5FB76350.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DBB76BE22686E5E05D908137FA7CB031.mof

C:\Windows\System32\wbem\mofcomp.exe

mofcomp C:\Windows\System32\wbem\AutoRecover\DBC6F0EF775A987FD56E1909BCBEF6E4.mof

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
GB 52.123.242.9:443 tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\39C8.tmp\39C9.tmp\39CA.bat

MD5 37893f40606e44ae8c4df07d20ca87bf
SHA1 8d9cf4fe4576756d623d3b39c947e92b24f40794
SHA256 7ddce7b8887d0fe1ed38e3c7e9a9f8e246f3f8f97198b100429762ad842621db
SHA512 1eafda889387ffb95e85ccdcb61037e7092fbd7b256610606b951994835424fa606f3c39397b8df79130c6073fed5505ab07edbc1d7309a28fd4a6e608c9a77e

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 a656a56b1fda4aa28383160ba6ebea3b
SHA1 bda09bb6f5f28f5470147113e93d46a02853dfe1
SHA256 639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318
SHA512 fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 1cc4c3b9bb1657be77939f0b565e315d
SHA1 6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25
SHA256 9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a
SHA512 fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

C:\Windows\System32\perfc011.dat

MD5 eef14d868d4e0c2354c345abc4902445
SHA1 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d
SHA256 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f
SHA512 c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

C:\Windows\System32\perfc007.dat

MD5 1bd26a75846ce780d72b93caffac89f6
SHA1 ff89b7c5e8c46c6c2e52383849bbf008bd91d66e
SHA256 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a
SHA512 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

C:\Windows\System32\perfh007.dat

MD5 82d7f8765db25b313ecf436572dbe840
SHA1 da9ed48d5386a1133f878b3e00988cbf4cdebab8
SHA256 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3
SHA512 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

C:\Windows\System32\perfh009.dat

MD5 407f4fed9a4510646f33a2869a184de8
SHA1 e2e622f36b28057bbfbaee754ab6abac2de04778
SHA256 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615
SHA512 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

C:\Windows\System32\perfh00A.dat

MD5 4e62108a0d4a00aa39624f4f941d2595
SHA1 7fbff1d3ac293c715a303ac37da0ceb12591028b
SHA256 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263
SHA512 c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

C:\Windows\System32\perfc00A.dat

MD5 6d4b430c2abf0ec4ca1909e6e2f097db
SHA1 97c330923a6380fe8ea8e440ce2c568594d3fff7
SHA256 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e
SHA512 cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

C:\Windows\System32\perfh00C.dat

MD5 b87c7ea0e738fc61eb32a94fbd6c6775
SHA1 0e730aa70900f623205b93cb1d6e11be4c0d51b5
SHA256 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0
SHA512 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

C:\Windows\System32\perfh010.dat

MD5 af84da8efc4350425986bd8d1f9e4aa2
SHA1 d475f5d5003d2152d8f9d976fd762b474e0857fc
SHA256 802e68c2a17427e31589ee76fba78534fa56612d7b20dcdba0c468b06be13e75
SHA512 6ef39476f69635ef1891deb43f251f4077030b3478d771409c84940f9f6128ee4850ee04687cda923816421935ba3cd06ca3e381a3af9e3e17f105f5aa9fc7c6

C:\Windows\System32\perfh011.dat

MD5 906500b906ff5714abfb310609a6207e
SHA1 e085597f06df2b986f482f37d6077247d76c0cba
SHA256 82df03abd566227a4ec99ceae023f79d5886e93b425ecc4a54f53452593f60f1
SHA512 54c5b7cc290aeb34c93c7c1301d90aac2a1190d6e92893b86264682d91930df9e91c644a00c566841031efc3a0c71322106b8c1ce679e026930094c778e77b96

C:\Windows\System32\perfc010.dat

MD5 d4b57c62c54e6f62c2239177730248d8
SHA1 7d81fe1eac0d666aaa01064cbcdf51c1d44db819
SHA256 7fb738ffc037deb30ac1aa843af1dfed6772fcae0055e409ff6f5cd7b651716b
SHA512 9939e6835587f814ab575a4ba616f151ef649bac79b207b3536fe38228ebfd55ce50d1bd17d4dc3c11aefc8d421a7c20bee13ffc4a314915a7e50a5e4ce13e6f

C:\Windows\System32\perfc00C.dat

MD5 6adbb878124fcd6561655718f12bff5f
SHA1 1711619dda04178fb47eea6658da6ad52f6cf660
SHA256 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf
SHA512 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

274s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\serial_checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\serial_checker.bat"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\getmac.exe

getmac

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240508-en

Max time kernel

3s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"

Signatures

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe C:\Windows\system32\cmd.exe
PID 3576 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3576 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3576 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 3576 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 3576 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 3576 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nbtstat.exe
PID 3576 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3576 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7678.tmp\7679.tmp\767A.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"

C:\Windows\system32\netsh.exe

NETSH WINSOCK RESET

C:\Windows\system32\netsh.exe

NETSH INT IP RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE IPV4 RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE IPV6 RESET

C:\Windows\system32\netsh.exe

NETSH INTERFACE TCP RESET

C:\Windows\system32\netsh.exe

NETSH INT RESET ALL

C:\Windows\system32\ipconfig.exe

IPCONFIG /RELEASE

C:\Windows\system32\ipconfig.exe

IPCONFIG /RELEASE

C:\Windows\system32\ipconfig.exe

IPCONFIG /FLUSHDNS

C:\Windows\system32\nbtstat.exe

NBTSTAT -R

C:\Windows\system32\nbtstat.exe

NBTSTAT -RR

C:\Windows\System32\Wbem\WMIC.exe

WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7678.tmp\7679.tmp\767A.bat

MD5 7933f4bcf196e8ef425998cc9f1a8a91
SHA1 d9a4d1d104425c5e3ccb17581351e5b61d96d69d
SHA256 15bf3321b57e08f6cc80c72e7a1ad54eea4ff27d2faccdd8dd10cc5e4adb26fc
SHA512 52f0e5d0ba1224b9ffa6bbb9d1ef365288304581d536b3187f69396049a6ff1190c4feb2ee303b5bec46e688843956532911a7dd3bb75a9cb785d4fb358010b5

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:55

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe"

Signatures

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\40D2.tmp\40D3.tmp\40D4.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tm.exe"

C:\Windows\system32\PING.EXE

ping /n 1 localhost

C:\Windows\system32\PING.EXE

ping /n 1 localhost

C:\Windows\system32\PING.EXE

ping /n 1 localhost

C:\Windows\system32\PING.EXE

ping /n 2 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\40D2.tmp\40D3.tmp\40D4.bat

MD5 54d18c0e0a34808017e53029d7875c09
SHA1 bca96014c545bd02f964cc3dd368b5c6ce9f2963
SHA256 6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae
SHA512 95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-26 20:50

Reported

2024-06-26 20:56

Platform

win10v2004-20240611-en

Max time kernel

166s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"

Signatures

Stops running service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A
Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1588 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1588 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe

"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\tcs.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im OneDrive.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\sc.exe

Sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_EAC

C:\Windows\system32\sc.exe

Sc stop BattleEye

C:\Windows\system32\sc.exe

Sc stop FortniteClient-Win64-Shipping_BE

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r23571 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r11624 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be2185} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee6518-4274-14890-10415} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe4869-3649-6662-14780} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r7987 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r14323 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r3445 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd31774-14153-12867-13851} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE7602} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {22847-11408-18915-28806} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29558-28170-31825-32483} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 14506 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 10706 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 4628 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 8331-28706-24157-21211 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30015 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {5673-17434-19818-26756} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 24770-3924-8685-8871 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 31896 /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 2393 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 18060 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 2815 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac5684 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-17628 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac31295} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-16242-882-29080-23012} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-9530-8502-4918-19343} /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30441 /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 14683 /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 8049 /f

C:\Windows\system32\reg.exe

reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3A3A.tmp\3A4B.tmp\3A4C.bat

MD5 873801eea220f0bab74d86c1eaa30361
SHA1 c5c91e41c37e53b94ba899694e95949f1bca07be
SHA256 26a8eede65d9e6a1ab4c450f8dc4be010792c13483380aeb47ef082da8a278b3
SHA512 48a3039c93146af7f1102d5290cde08cb09c0a4d74500cf2df0050d6a68e728c3a2e00961221de05f376c044c0e223a10e2d2cf57a915662a929ba7e9345dc48