diff --git a/config.h b/config.h
index c10ceae3..73ba2efa 100644
--- a/config.h
+++ b/config.h
@@ -27,6 +27,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #define SPOOFED_DISK_SIZE	0x10000000000ull // 1TB
 #define RECOVERY_PARTITION_SIZE	0x1f2af000  // Taken from random Win10 install
 
+#define SPOOFED_GPU_RAM_WMI 0xfff00000L // 4293918720; WMI uses lVal (long) so we have an "overflowed" value, 
 #define SPOOFED_GPU_RAM 0x100000000l  // 4GB
 #define SPOOFED_GPU_NAME L"NVIDIA GTX 1650"
 
@@ -35,6 +36,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 #define SPOOFED_CPU_CORE_NUM 4
 
+#define SPOOFED_REFRESH_RATE 60
+
 
 struct _g_config {
 	// name of the pipe to communicate with cuckoo
diff --git a/hook_wmi.c b/hook_wmi.c
index f8b7eedf..90cc39c0 100644
--- a/hook_wmi.c
+++ b/hook_wmi.c
@@ -1,5 +1,11 @@
+#include <stdio.h>
 #include "log.h"
 #include "misc.h"
+#include "config.h"
+
+static int g_last_seen_disk_query = 0;
+static int g_last_seen_physicalmemory = 0;
+
 
 HOOKDEF(HRESULT, WINAPI, WMI_Get,
 	PVOID		_this,
@@ -10,7 +16,79 @@ HOOKDEF(HRESULT, WINAPI, WMI_Get,
 	LONG*		plFlavor
 ) {
 	HRESULT ret;
+	lasterror_t lasterror;
+
 	ret = Old_WMI_Get(_this, wszName, lFlags, pVal, pType, plFlavor);
+
+	get_lasterrors(&lasterror);
+	__try {
+		if (!ret && !g_config.no_stealth && pVal && wszName) {
+			if (pVal->vt == VT_BSTR) {
+				if (!wcsicmp(wszName, L"TotalPhysicalMemory")) {
+					unsigned long long actualMemory = wcstoull(pVal->bstrVal, NULL, 10);
+					if (actualMemory < SPOOFED_RAM) {
+						wchar_t wszMemory[16];
+						memset(wszMemory, 0x0, sizeof(wszMemory));
+						swprintf_s(wszMemory, sizeof(wszMemory), L"%llu", SPOOFED_RAM);
+						SysFreeString(pVal->bstrVal);
+						pVal->bstrVal = SysAllocString(wszMemory);
+					}
+				}
+				else if (!wcsicmp(wszName, L"TotalVisibleMemorySize")) {
+					unsigned long long actualMemory = wcstoull(pVal->bstrVal, NULL, 10);
+					// actualMemory is in Kilobytes, our spoofed values are in bytes
+					if (actualMemory < (SPOOFED_RAM / 1024)) {
+						wchar_t wszMemory[16];
+						memset(wszMemory, 0x0, sizeof(wszMemory));
+						swprintf_s(wszMemory, sizeof(wszMemory), L"%llu", (SPOOFED_RAM / 1024));
+						SysFreeString(pVal->bstrVal);
+						pVal->bstrVal = SysAllocString(wszMemory);
+					}
+				}
+				else if (g_last_seen_disk_query && !wcsicmp(wszName, L"Size")) {
+					unsigned long long lSize = wcstoull(pVal->bstrVal, NULL, 10);
+					if (lSize < SPOOFED_DISK_SIZE - RECOVERY_PARTITION_SIZE) {
+						wchar_t newSize[16];
+						memset(newSize, 0x0, sizeof(newSize));
+						swprintf_s(newSize, sizeof(newSize), L"%llu", SPOOFED_DISK_SIZE - RECOVERY_PARTITION_SIZE);
+						SysFreeString(pVal->bstrVal);
+						pVal->bstrVal = SysAllocString(newSize);
+					}
+				}
+				else if (g_last_seen_physicalmemory && !wcsicmp(wszName, L"Capacity")) {
+					unsigned long long actualMemory = wcstoull(pVal->bstrVal, NULL, 10);
+					if (actualMemory < SPOOFED_RAM) {
+						wchar_t wszMemory[16];
+						memset(wszMemory, 0x0, sizeof(wszMemory));
+						swprintf_s(wszMemory, sizeof(wszMemory), L"%llu", SPOOFED_RAM);
+						SysFreeString(pVal->bstrVal);
+						pVal->bstrVal = SysAllocString(wszMemory);
+					}
+				}
+			}
+			else if (pVal->vt == VT_I4) {
+				if (!wcsicmp(wszName, L"NumberOfCores")) {
+					if (pVal->lVal < SPOOFED_CPU_CORE_NUM)
+						pVal->lVal = SPOOFED_CPU_CORE_NUM;
+				}
+				else if (!wcsicmp(wszName, L"AdapterRAM")) {
+					if (pVal->lVal < SPOOFED_GPU_RAM) {
+						pVal->lVal = SPOOFED_GPU_RAM_WMI;
+					}
+				}
+				else if (!wcsicmp(wszName, L"MaxRefreshRate")) {
+					if (pVal->lVal < SPOOFED_REFRESH_RATE) {
+						pVal->lVal = SPOOFED_REFRESH_RATE;
+					}
+				}
+			}
+		}
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		;
+	}
+	set_lasterrors(&lasterror);
+
 	LOQ_hresult("system", "un", "Name", wszName, "Value", pVal);
 	return ret;
 }
@@ -24,7 +102,23 @@ HOOKDEF_NOTAIL(WINAPI, WMI_ExecQuery,
 	PVOID*		ppEnum
 ) {
 	HRESULT ret = 0;
-	LOQ_hresult("system", "u", "Query", strQuery);
+
+	// Reset these on new query
+	g_last_seen_disk_query = 0;
+	g_last_seen_physicalmemory = 0;
+
+	if (!ret && !g_config.no_stealth && strQuery) {
+		if (!_wcsnicmp(strQuery, L"SELECT ", 7)) {
+			if (wcsistr(strQuery, L" FROM Win32_LogicalDisk")) {
+				g_last_seen_disk_query = 1;
+				//pipe("INFO:setting g_last_seen_disk_query");
+			}
+			else if (wcsistr(strQuery, L" FROM Win32_PhysicalMemory")) {
+				g_last_seen_physicalmemory = 1;
+			}
+		}
+	}
+	LOQ_hresult("system", "uu", "Query", strQuery, "QueryLanguage", strQueryLanguage);
 	return 0;
 }
 
@@ -66,7 +160,6 @@ HOOKDEF_NOTAIL(WINAPI, WMI_ExecMethodAsync,
 	PVOID		pResponseHandler
 ) {
 	HRESULT ret = 0;
-	LOQ_hresult("system", "uu", "ObjectPath", strObjectPath, "MethodName", strMethodName);
 	return 0;
 }
 
@@ -82,7 +175,7 @@ HOOKDEF_NOTAIL(WINAPI, WMI_GetObject,
 	if (strObjectPath && SysStringLen(strObjectPath) > 0)
 		LOQ_hresult("system", "u", "ObjectPath", strObjectPath);
 	else
-		LOQ_hresult("system", "u", "ObjectPath", L"[NULL or Empty]");
+		LOQ_hresult("system", "u", "ObjectPath", L"");
 	return 0;
 }