33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80

Analysis

max time kernel
843s
max time network
847s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MostWantedValo.bat
Size

3.2MB
MD5

0bef79984a785d284e225d3576239802
SHA1

0a759883c5cd8822f269eca241c4dc8c43d86220
SHA256

33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
SHA512

d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
SSDEEP

49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAEAE72F-0328-4763-8ECB-23422EDE2DB5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D76D1B-B12E-4913-8F48-671B90195A2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5F75737-2843-4F22-933D-C76A97CDA62F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C71566F2-561E-11D1-AD87-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FB1D98A-F895-4761-8DC2-774969C84D10}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA2AF3B4-C15E-412B-B453-557746675FB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0A2AB46-F612-4469-BEC4-7AB038BC476C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6DAF9757-2E37-11D2-AEC9-00C04FB68820}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1B9E04A-3226-11D2-883E-00104B2AFB46}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72D4-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC9072AB-C000-49D8-A5AA-00266C8DBB9B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C0AA9D93-2EF5-47FB-960C-F90FC644B48E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F72CC7A-74A0-45B4-909C-14FB8186DD7E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6543D242-A80B-44A3-B828-95C1EC452423}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7016F8FA-CCDA-11D2-B35C-00105A1F8177}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7A3A54B-0250-11D3-9CD1-00105A1F4801}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1860E246-E924-4F73-B2C5-93E0577E3AA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B5828C-CAB9-11D2-B35C-00105A1F8177}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967901-68EC-11D0-B729-00AA0062CBB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A83EF168-CA8D-11D2-B33D-00104BCC4B4A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD184336-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{443E7B79-DE31-11D2-B340-00104BCC4B4A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6c19be35-7500-11d1-ad94-00c04fd8fdff}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\InprocServer32	regsvr32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\D97D08E4902AC1BCF40C06435990ED69.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\56857584222F604FDFB3EB0C04DA4246.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\978CE61ED49FE4F36BF5A835F9F5B563.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2B0A07CC560B291DBD579BC5CD8D20BA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8248F723BBFE53441DB78BB98E9C7B04.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\B1A709BF655608E6EFD0707BEA478991.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3A1020E8B8CF607A2CC6B345012C93D1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\87C86511443668F38592F54BEFB3DA96.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\088F2BF65584EEA866644BC7F977EFF8.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\17B04973224F5610A4558210ADCA877F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E88C42B8DAE8ABBE8FB29581D226480B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\757EF08C070F50BC23B54AA4F3126FF7.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\003C035D5DF96A71E0AA9B22DA3E730B.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF8BF6B131E93D11C67D810B1AAE1BC3.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\FB78554F9623FFCFAF8517D1382A1AE6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\62A9C7ABD6008F339A20C2B2F0521227.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B69C9377BABDC5D110ED1D9B4130880F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4038C24E98832DDA1FC820EA1F96DD0E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1753193BD187ED10233F6F3065CE44CB.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\EFA4D91D0B8F053F62013A71D9F8DBE7.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9B7D02F674ABC6489BF397CE96B22FBB.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F920E83E4677DE19916C341DEFAEEE0D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9E7E2108FC801DEB5855A410A211B4F8.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AFDA9D2CA693B44A2C46D80A3E311ACD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\847605D736F712AA25257842E4A53844.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\647E7970BD0F5F9E661068CA6CA7F397.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6E92F62B47DC286C3A4CD99736F014B4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D911EF9E5112E7DA316F0A12476F1ACA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\FE7DD380036BD93A59C38786492E170F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\2CFB5B149FA396D1AEA5F89B1C5A8D81.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B45E4C2476C7389C4EB149E43AC63A37.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2F489D7FA7D9E6DB92E49A769F2A3340.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A87FD967E816CB9C37F3DDD9D2D5C42A.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D8E240512D930490BEBE431239A91AEE.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\29C22FE2A8CE853EAE5D8D38B54BFC6C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AAF140C6145276A70AAC483F6F121329.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0970F055BBA0661C7AC91B7E8C24CA3.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof	Process not Found

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
880	sc.exe
568	sc.exe
2864	sc.exe
1372	sc.exe
1364	sc.exe
1072	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Process not Found

Kills process with taskkill 13 IoCs

evasion

pid	Process
2740	taskkill.exe
2868	taskkill.exe
2268	taskkill.exe
2796	taskkill.exe
2604	taskkill.exe
2660	taskkill.exe
2680	taskkill.exe
2396	taskkill.exe
548	taskkill.exe
2628	taskkill.exe
2524	taskkill.exe
644	taskkill.exe
2608	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C65924B-E236-11D2-8899-00104B2AFB46}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\ = "WBEM Scripting Locator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemObjectPath	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC9072AB-C000-49D8-A5AA-00266C8DBB9B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{72967901-68EC-11D0-B729-00AA0062CBB7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854D745C-6742-42C0-8BB9-01EC466B6E87}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E245105B-B06E-11D0-AD61-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72D4-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{484E3ECE-1F81-4591-B9D4-943BA13B609D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8107BDF-BAAF-4C7C-BB5F-9D732E8D8F07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NCProv.NCProvider\ = "NCProvider Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WINMGMTS.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE32-7500-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1B9E04A-3226-11D2-883E-00104B2AFB46}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1B9E03C-3226-11D2-883E-00104B2AFB46}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink\CurVer\ = "WbemScripting.SWbemSink.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A55D36-8750-432C-AB52-AD49A016EABC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1B9E03C-3226-11D2-883E-00104B2AFB46}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41571-91DD-11D1-AEB2-00C04FB68820}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D97-D993-11D2-B339-00105A1F4AAF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher.1\ = "WBEM Scripting Refresher 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B60EF4F1-A411-462B-B51E-477CBDBB90B4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SDSnapinAbout.1\ = "SDSnapin Description"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLastError.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF}\ProxyStubCLSID32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B39-CCCF-11D2-B35C-00105A1F8177}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}	regsvr32.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

pid	Process
1752	Process not Found
1900	Process not Found
2556	Process not Found
2844	Process not Found
1848	Process not Found
1996	Process not Found
912	Process not Found
2920	Process not Found
1060	Process not Found
692	Process not Found
308	Process not Found
948	Process not Found
2064	Process not Found
2592	Process not Found
1684	Process not Found
2352	Process not Found
2072	Process not Found
2448	Process not Found
1836	Process not Found
784	Process not Found
844	Process not Found
2000	Process not Found
1716	Process not Found
1564	Process not Found
2192	Process not Found
2004	Process not Found
676	Process not Found
2008	Process not Found
2196	Process not Found

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 48 IoCs

pid	Process
2768	regsvr32.exe
2040	regsvr32.exe
2756	regsvr32.exe
2332	regsvr32.exe
1656	regsvr32.exe
1968	regsvr32.exe
1840	regsvr32.exe
1932	regsvr32.exe
1104	regsvr32.exe
1800	regsvr32.exe
1976	regsvr32.exe
864	regsvr32.exe
1224	regsvr32.exe
1980	regsvr32.exe
1536	regsvr32.exe
2200	regsvr32.exe
1920	regsvr32.exe
2036	regsvr32.exe
2164	regsvr32.exe
1088	regsvr32.exe
1124	regsvr32.exe
2692	regsvr32.exe
1972	regsvr32.exe
1784	regsvr32.exe
2544	regsvr32.exe
1344	regsvr32.exe
2240	regsvr32.exe
2908	regsvr32.exe
956	regsvr32.exe
764	regsvr32.exe
952	regsvr32.exe
2852	regsvr32.exe
3000	regsvr32.exe
368	regsvr32.exe
2444	regsvr32.exe
3060	regsvr32.exe
2424	regsvr32.exe
1900	regsvr32.exe
904	regsvr32.exe
1752	regsvr32.exe
1940	regsvr32.exe
960	regsvr32.exe
2328	regsvr32.exe
1728	regsvr32.exe
2192	regsvr32.exe
2784	regsvr32.exe
1580	regsvr32.exe
1600	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeSecurityPrivilege	2672	mofcomp.exe
Token: SeSecurityPrivilege	2376	mofcomp.exe
Token: SeSecurityPrivilege	3040	mofcomp.exe
Token: SeSecurityPrivilege	2880	mofcomp.exe
Token: SeSecurityPrivilege	968	mofcomp.exe
Token: SeSecurityPrivilege	1364	mofcomp.exe
Token: SeSecurityPrivilege	1220	mofcomp.exe
Token: SeSecurityPrivilege	2712	mofcomp.exe
Token: SeSecurityPrivilege	2508	mofcomp.exe
Token: SeSecurityPrivilege	2840	mofcomp.exe
Token: SeSecurityPrivilege	2760	mofcomp.exe
Token: SeSecurityPrivilege	1968	mofcomp.exe
Token: SeSecurityPrivilege	864	mofcomp.exe
Token: SeSecurityPrivilege	1128	mofcomp.exe
Token: SeSecurityPrivilege	1972	mofcomp.exe
Token: SeSecurityPrivilege	2908	mofcomp.exe
Token: SeSecurityPrivilege	1760	mofcomp.exe
Token: SeSecurityPrivilege	2276	mofcomp.exe
Token: SeSecurityPrivilege	1708	mofcomp.exe
Token: SeSecurityPrivilege	476	mofcomp.exe
Token: SeSecurityPrivilege	676	mofcomp.exe
Token: SeSecurityPrivilege	436	mofcomp.exe
Token: SeSecurityPrivilege	1112	mofcomp.exe
Token: SeSecurityPrivilege	1552	mofcomp.exe
Token: SeSecurityPrivilege	2284	mofcomp.exe
Token: SeSecurityPrivilege	908	mofcomp.exe
Token: SeSecurityPrivilege	564	mofcomp.exe
Token: SeSecurityPrivilege	2084	mofcomp.exe
Token: SeSecurityPrivilege	832	mofcomp.exe
Token: SeSecurityPrivilege	1952	mofcomp.exe
Token: SeSecurityPrivilege	1648	mofcomp.exe
Token: SeSecurityPrivilege	1908	mofcomp.exe
Token: SeSecurityPrivilege	1596	mofcomp.exe
Token: SeSecurityPrivilege	2112	mofcomp.exe
Token: SeSecurityPrivilege	2488	mofcomp.exe
Token: SeSecurityPrivilege	2796	mofcomp.exe
Token: SeSecurityPrivilege	2428	mofcomp.exe
Token: SeSecurityPrivilege	2872	mofcomp.exe
Token: SeSecurityPrivilege	1644	mofcomp.exe
Token: SeSecurityPrivilege	1188	mofcomp.exe
Token: SeSecurityPrivilege	1832	mofcomp.exe
Token: SeSecurityPrivilege	2700	mofcomp.exe
Token: SeSecurityPrivilege	1412	mofcomp.exe
Token: SeSecurityPrivilege	1164	mofcomp.exe
Token: SeSecurityPrivilege	2260	mofcomp.exe
Token: SeSecurityPrivilege	2040	mofcomp.exe
Token: SeSecurityPrivilege	2340	mofcomp.exe
Token: SeSecurityPrivilege	2320	mofcomp.exe
Token: SeSecurityPrivilege	2432	mofcomp.exe
Token: SeSecurityPrivilege	948	mofcomp.exe
Token: SeSecurityPrivilege	940	mofcomp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2224	2892	cmd.exe	29
PID 2892 wrote to memory of 2224	2892	cmd.exe	29
PID 2892 wrote to memory of 2224	2892	cmd.exe	29
PID 2892 wrote to memory of 2680	2892	cmd.exe	30
PID 2892 wrote to memory of 2680	2892	cmd.exe	30
PID 2892 wrote to memory of 2680	2892	cmd.exe	30
PID 2892 wrote to memory of 2608	2892	cmd.exe	32
PID 2892 wrote to memory of 2608	2892	cmd.exe	32
PID 2892 wrote to memory of 2608	2892	cmd.exe	32
PID 2892 wrote to memory of 2796	2892	cmd.exe	33
PID 2892 wrote to memory of 2796	2892	cmd.exe	33
PID 2892 wrote to memory of 2796	2892	cmd.exe	33
PID 2892 wrote to memory of 2524	2892	cmd.exe	34
PID 2892 wrote to memory of 2524	2892	cmd.exe	34
PID 2892 wrote to memory of 2524	2892	cmd.exe	34
PID 2892 wrote to memory of 2604	2892	cmd.exe	35
PID 2892 wrote to memory of 2604	2892	cmd.exe	35
PID 2892 wrote to memory of 2604	2892	cmd.exe	35
PID 2892 wrote to memory of 2740	2892	cmd.exe	36
PID 2892 wrote to memory of 2740	2892	cmd.exe	36
PID 2892 wrote to memory of 2740	2892	cmd.exe	36
PID 2892 wrote to memory of 2628	2892	cmd.exe	37
PID 2892 wrote to memory of 2628	2892	cmd.exe	37
PID 2892 wrote to memory of 2628	2892	cmd.exe	37
PID 2892 wrote to memory of 2660	2892	cmd.exe	38
PID 2892 wrote to memory of 2660	2892	cmd.exe	38
PID 2892 wrote to memory of 2660	2892	cmd.exe	38
PID 2892 wrote to memory of 2396	2892	cmd.exe	39
PID 2892 wrote to memory of 2396	2892	cmd.exe	39
PID 2892 wrote to memory of 2396	2892	cmd.exe	39
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2892 wrote to memory of 2268	2892	cmd.exe	41
PID 2892 wrote to memory of 2268	2892	cmd.exe	41
PID 2892 wrote to memory of 2268	2892	cmd.exe	41
PID 2892 wrote to memory of 548	2892	cmd.exe	42
PID 2892 wrote to memory of 548	2892	cmd.exe	42
PID 2892 wrote to memory of 548	2892	cmd.exe	42
PID 2892 wrote to memory of 644	2892	cmd.exe	43
PID 2892 wrote to memory of 644	2892	cmd.exe	43
PID 2892 wrote to memory of 644	2892	cmd.exe	43
PID 2892 wrote to memory of 1372	2892	cmd.exe	44
PID 2892 wrote to memory of 1372	2892	cmd.exe	44
PID 2892 wrote to memory of 1372	2892	cmd.exe	44
PID 2892 wrote to memory of 1364	2892	cmd.exe	45
PID 2892 wrote to memory of 1364	2892	cmd.exe	45
PID 2892 wrote to memory of 1364	2892	cmd.exe	45
PID 2892 wrote to memory of 1072	2892	cmd.exe	46
PID 2892 wrote to memory of 1072	2892	cmd.exe	46
PID 2892 wrote to memory of 1072	2892	cmd.exe	46
PID 2892 wrote to memory of 880	2892	cmd.exe	47
PID 2892 wrote to memory of 880	2892	cmd.exe	47
PID 2892 wrote to memory of 880	2892	cmd.exe	47
PID 2892 wrote to memory of 568	2892	cmd.exe	48
PID 2892 wrote to memory of 568	2892	cmd.exe	48
PID 2892 wrote to memory of 568	2892	cmd.exe	48
PID 2892 wrote to memory of 1476	2892	cmd.exe	49
PID 2892 wrote to memory of 1476	2892	cmd.exe	49
PID 2892 wrote to memory of 1476	2892	cmd.exe	49
PID 1476 wrote to memory of 2572	1476	net.exe	50
PID 1476 wrote to memory of 2572	1476	net.exe	50
PID 1476 wrote to memory of 2572	1476	net.exe	50
PID 2892 wrote to memory of 2752	2892	cmd.exe	51

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MostWantedValo.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2224
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:1372
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  PID:1364
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:1072
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  PID:880
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:2752
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2040
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2756
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2332
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1656
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1968
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1840
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1932
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1104
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1800
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1976
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:864
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1224
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1980
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1536
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2200
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1920
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2036
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2164
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1088
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1124
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2692
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1972
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1784
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2544
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1344
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2240
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2908
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:956
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:764
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:952
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2852
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3000
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:368
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2444
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3060
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2424
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1900
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:904
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1752
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1940
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:960
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1728
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2192
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Sets DLL path for service in the registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2784
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1580
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  - Registers COM server for autorun
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1600
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:2112
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:2456
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:2680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:2808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aaclient.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplayapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplaycpl.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplaydriverlib.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplayservices.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DevicePairingHandler.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dot3.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DShowRdpFilter.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IPBusEnum.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irda.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irmon.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\l2gpstore.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:2312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:2280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  PID:784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  PID:1764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  PID:368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NAPCLIENTPROV.MOF
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NAPCLIENTSCHEMA.MOF
  2⤵
  PID:1600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nci.mof
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:2360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  PID:2984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:1472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkmap.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  PID:520
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:1956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:1104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  PID:2200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  PID:1980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\onex.mof
  2⤵
  PID:1440
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-collab.mof
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-crp.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:2812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\partmgr.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pnpsetup.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:1712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  - Drops file in System32 directory
  PID:436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:2020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:2056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewmdrm.mof
  2⤵
  PID:892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  PID:2264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powerpolicyprovider.mof
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:2360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpcore.mof
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpencom.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  PID:2332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  - Drops file in System32 directory
  PID:1840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  - Drops file in System32 directory
  PID:1224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:2432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  PID:2544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedSvc.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  PID:964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  PID:2152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:2452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sensorscpl.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  PID:696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:2220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ssdpsrv.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:2620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  PID:2876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  PID:3040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:1380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:2028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  PID:2204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:2692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:2908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:1120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  PID:2992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:1112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:1552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WgxInstalledGame.mof
  2⤵
  PID:1480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  PID:784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  PID:2592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:1940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  PID:548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:2984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:2600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  PID:2228
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  PID:1440
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:1944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpc.mof
  2⤵
  PID:964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpcsprov.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpcuninst.mof
  2⤵
  - Drops file in System32 directory
  PID:476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:1096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:3044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:1992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:1680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdwcn.mof
  2⤵
  PID:2780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscenter.mof
  2⤵
  PID:1648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscmisetup.mof
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WSDApi.mof
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:2808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wzcdlg.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\033B1D9B4216B475E81B22B7067A7D1D.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
  2⤵
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04E8A5FE2DA94218C402D8821D819F56.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
  2⤵
  - Drops file in System32 directory
  PID:1504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
  2⤵
  - Drops file in System32 directory
  PID:1784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
  2⤵
  PID:2304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
  2⤵
  PID:844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
  2⤵
  PID:540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
  2⤵
  PID:1724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
  2⤵
  PID:912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B410C5019E5BB240FE3D9209B3CEAF2.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
  2⤵
  PID:2080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CD51E5093F1D9C8A0097F8E9E827C54.mof
  2⤵
  PID:2072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
  2⤵
  PID:896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB4359F7C410C964ED950874BB9E7C3.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
  2⤵
  PID:364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
  2⤵
  PID:1940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof
  2⤵
  PID:2484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
  2⤵
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
  2⤵
  PID:2420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
  2⤵
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\179828219D3CF81FF212E021A69DF006.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
  2⤵
  PID:2036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
  2⤵
  PID:1980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
  2⤵
  PID:764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BA88ACB624E02A260404A9D8F7BD8E5.mof
  2⤵
  PID:1252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
  2⤵
  PID:268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
  2⤵
  PID:3048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
  2⤵
  PID:2812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
  2⤵
  PID:2152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
  2⤵
  PID:2920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
  2⤵
  PID:1992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
  2⤵
  PID:1544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
  2⤵
  PID:896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
  2⤵
  PID:2188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
  2⤵
  PID:1648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
  2⤵
  - Drops file in System32 directory
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\265FD3983F420D89954E000E4E311FC5.mof
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26A5A04A346330E389400293E01228AC.mof
  2⤵
  PID:2660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26E8FD3933B4712ABA50053BBE27630F.mof
  2⤵
  PID:884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
  2⤵
  PID:880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B08F8B4B5DBD8346D4FF75E51BC8F87.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
  2⤵
  - Drops file in System32 directory
  PID:3020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
  2⤵
  PID:1636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D0F883F26EE14287D5262E2FC93E3CE.mof
  2⤵
  PID:2028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
  2⤵
  - Drops file in System32 directory
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
  2⤵
  PID:2244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
  2⤵
  PID:940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
  2⤵
  - Drops file in System32 directory
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32C943873CC624333BD0BF2A77384240.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32F8CD6F6308A815E554A273D4FA33D6.mof
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
  2⤵
  PID:912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\345C49713BAB91E320E0183986F86818.mof
  2⤵
  PID:2448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\34945C148CB28454DF772D7436BAE73A.mof
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
  2⤵
  PID:1028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
  2⤵
  - Drops file in System32 directory
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
  2⤵
  PID:908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
  2⤵
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
  2⤵
  - Drops file in System32 directory
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
  2⤵
  PID:2912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38C42C417C6ED79CEA712C91CA6F6077.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
  2⤵
  PID:592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
  2⤵
  PID:2984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
  2⤵
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
  2⤵
  PID:2560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3DB5281FDDFC239D9EF8C0B9F568CC0A.mof
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3FA3650B664BC96A8672EC85A7AE4225.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
  2⤵
  PID:2256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
  2⤵
  PID:2164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
  2⤵
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\451233ED13E097000776690B79D8D753.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45909B0D5A9FD1FE57C8BD13773D4358.mof
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
  2⤵
  PID:528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
  2⤵
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
  2⤵
  PID:1236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
  2⤵
  PID:2524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
  2⤵
  PID:1680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
  2⤵
  PID:2676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
  2⤵
  PID:2636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
  2⤵
  PID:1652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
  2⤵
  PID:1388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
  2⤵
  - Drops file in System32 directory
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\542DC56D520FDDEDA279A0D2F398203D.mof
  2⤵
  PID:2104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
  2⤵
  - Drops file in System32 directory
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
  2⤵
  - Drops file in System32 directory
  PID:2044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\58F2015134CCB0F7652C9320D9357B79.mof
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof
  2⤵
  - Drops file in System32 directory
  PID:2692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof
  2⤵
  PID:2544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof
  2⤵
  PID:868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof
  2⤵
  - Drops file in System32 directory
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof
  2⤵
  - Drops file in System32 directory
  PID:3016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\618DAF27B2DD9C7384C9866B3C604A9F.mof
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof
  2⤵
  PID:2708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof
  2⤵
  PID:2452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof
  2⤵
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof
  2⤵
  PID:2020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof
  2⤵
  PID:2188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6792FDA793556851BD20EA3DD8BD4F6B.mof
  2⤵
  PID:1648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof
  2⤵
  - Drops file in System32 directory
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof
  2⤵
  PID:2268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof
  2⤵
  PID:2440
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof
  2⤵
  PID:1188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof
  2⤵
  PID:2600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof
  2⤵
  PID:2724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof
  2⤵
  PID:2204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof
  2⤵
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof
  2⤵
  PID:2692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof
  2⤵
  PID:844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof
  2⤵
  PID:944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof
  2⤵
  PID:436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof
  2⤵
  - Drops file in System32 directory
  PID:676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof
  2⤵
  PID:2920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\779E080B33F322115205BB50F1E0B8D1.mof
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\784F84C1F101285B20E218ED2D09CD89.mof
  2⤵
  PID:1584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C45C8B7490D3AD44A961494C7FBFAFD.mof
  2⤵
  PID:612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof
  2⤵
  - Drops file in System32 directory
  PID:1900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7CEC0B7114C0F4A2F6AABCEF53246585.mof
  2⤵
  PID:832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof
  2⤵
  PID:1544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof
  2⤵
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E4466504BEF670F4735843135B2ADFD.mof
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof
  2⤵
  PID:2808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FFB3426D0E8BA66422FAE4DC6D7FC1C.mof
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof
  2⤵
  PID:2700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof
  2⤵
  PID:1488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof
  2⤵
  PID:2540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8349431AF468BA55DBFB84FC50CC17C5.mof
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof
  2⤵
  - Drops file in System32 directory
  PID:1476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof
  2⤵
  PID:2908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof
  2⤵
  PID:1980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof
  2⤵
  PID:868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof
  2⤵
  PID:584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof
  2⤵
  PID:1712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof
  2⤵
  PID:1760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof
  2⤵
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof
  2⤵
  PID:1060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof
  2⤵
  PID:1764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof
  2⤵
  PID:2220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof
  2⤵
  PID:2392
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof
  2⤵
  PID:1748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof
  2⤵
  - Drops file in System32 directory
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof
  2⤵
  PID:2396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof
  2⤵
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof
  2⤵
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof
  2⤵
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B69BCC6C9FE867D2A3B64ECABB53826.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof
  2⤵
  PID:1188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof
  2⤵
  PID:880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C44AA8B16C47059241530441BCD6DD9.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9FC7214EDE76F8AE24F96A8195852557.mof
  2⤵
  PID:1124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof
  2⤵
  PID:764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof
  2⤵
  - Drops file in System32 directory
  PID:940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof
  2⤵
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof
  2⤵
  PID:2904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof
  2⤵
  PID:2280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof
  2⤵
  PID:1724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof
  2⤵
  PID:2920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof
  2⤵
  PID:1060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof
  2⤵
  - Drops file in System32 directory
  PID:2592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof
  2⤵
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof
  2⤵
  PID:1900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof
  2⤵
  PID:2748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD5C5848CD0E22DA01A18D5C186CF995.mof
  2⤵
  PID:364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof
  2⤵
  PID:1200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof
  2⤵
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B54261EAEEB4A0D8DB966E20CBEF7E52.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B6752671A157884075FCC12BEDFB4D69.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B67D454E426E9AEB60ED08DCC946B44B.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B6AF1E27DD1C8095A2887A3BECBB76EF.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B789D76E1E0DE4569B56F6FE22E05621.mof
  2⤵
  PID:1972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B8870014FB74FB540F3C31EA907A2AE7.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B983243B1B5F59CFF73648C21D5FB88F.mof
  2⤵
  PID:1104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BA42233C2B9592211C49858860047F3F.mof
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BB9039F6B76054E97E7EFE906C52DE12.mof
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD818313E410FD46A9F63786A32AEE23.mof
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof
  2⤵
  PID:2164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C03089ABF5861ADFD1F7C923D2F9A153.mof
  2⤵
  PID:964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C09DD3CA03ADBEEE3ABD0ADF668D9848.mof
  2⤵
  PID:1360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1A0E85153900845F7BA78472B952007.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1A41FBCA25E3E6CC4CD22064882728F.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1D36889746E38D1BC7C314F51AC80E6.mof
  2⤵
  PID:1480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1FA58EA827D44CFBEE4F63536677F65.mof
  2⤵
  PID:1060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C25A6E589BBE06A55DB5B350B80152B1.mof
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C2928ED38478DF99E69563F6607993C8.mof
  2⤵
  PID:2020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C3F80855FDF5A3E423EBABF12EB64064.mof
  2⤵
  PID:2592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C40B30214E633F7974F2729FAE1BC67D.mof
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof
  2⤵
  - Drops file in System32 directory
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C67614C3E48ABD4BC9E709E2CEB2CE53.mof
  2⤵
  PID:1748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C685465F4F6FC210421DA7E9DD550821.mof
  2⤵
  PID:2864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C8306578B5F0D111675384D271B4DAE3.mof
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C98344F72C7B0FA5F30F1BF6877B4E25.mof
  2⤵
  PID:1140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CA1BF3536958E01F710E5995DE6EBE31.mof
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CAC0434A24FA3D5F69B4858EAA050C64.mof
  2⤵
  PID:1592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CB7DDAE3224D5AB1AA07F9B5AAD1A027.mof
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CCFBB6F691A0FA96C5B605CD9D80173B.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CD5C98B31AB8AA0599193696AF7D0DB1.mof
  2⤵
  - Drops file in System32 directory
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CD658FA16F96D4466BFE68FCE874D955.mof
  2⤵
  PID:2572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CDC6E4754252FF7D0E8F3C134D265A60.mof
  2⤵
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CDDB319981A500F42CBEC98CD2362007.mof
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE096445AF8F836B82205BD4E80E5A94.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE11FD1C1FB6481A93541E3B9ACD4CA7.mof
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE7FA5E0DC28E4C7BB0A2AA22DE05392.mof
  2⤵
  PID:2252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CF59E7AD297D53172AE9792A2C26A022.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CF881EBD6F50B8BAA9BD57DC3DAC5CB2.mof
  2⤵
  PID:2228
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof
  2⤵
  PID:1056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D1C240EDA191362672EF6FCCB9725F85.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D2412702F385FCB9E6709FB33EB27BDF.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof
  2⤵
  - Drops file in System32 directory
  PID:984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D44C788DD143A6A25912E1AA4230EBBA.mof
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D45422347AA81775B83DBC3898BAD5DE.mof
  2⤵
  PID:912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D4D422DBE282F1B12C3A82517EB0D59D.mof
  2⤵
  PID:2708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D566F9B651B60AE7D0B5DEBF57A90E35.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D69C7ED8E3B896ACD98229CB4DC363B6.mof
  2⤵
  PID:1584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D7E06DA4457A14F49A9A996F22881130.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D8D1C602836BEF743D38740FCA8D4B8B.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA27AF57C09E80A784709AD6239EA23B.mof
  2⤵
  PID:2592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA54B44152345FC1E1817702B2A34D5D.mof
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA5B702F94B3636728C005C0E5C0A6BE.mof
  2⤵
  PID:2392
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DAC96F2A49E2484740F118A3CDF28EA3.mof
  2⤵
  PID:1748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DB81A681168E125300B192421B05FF69.mof
  2⤵
  - Drops file in System32 directory
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DBC6F0EF775A987FD56E1909BCBEF6E4.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DBDD03C26C22DA3E23ABAA15A6B39B54.mof
  2⤵
  PID:2420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DC89E71970FFC22FA221C8A45308C5D4.mof
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DCEF332D84C4031C782F4C93C596D4D1.mof
  2⤵
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DD603E8A562856C2EC1C09212F23ADB3.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DE44225AB6232B6BBD0C9B6E8C537DF1.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DE523FD5DB5ABAE94C68AF7114CBD760.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DED5474ADC85A48A01D7B3559075F80F.mof
  2⤵
  PID:1264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E069A2E2BAA0539B3A6D0C2A427CC7C9.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E22148F95450D8DD65C6F01F3F70D0C6.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E2FA811D54787AF194F2ED7963AC8C26.mof
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E32F72CD17027215C1CA0F8CDBFC424A.mof
  2⤵
  - Drops file in System32 directory
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E3D1F0237C90408BD496AD5ABA1F83D8.mof
  2⤵
  PID:948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E41B36A469B90C2F71E1E8F75B1ED2A0.mof
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E47D9E1373E74D680A96741EA31C401B.mof
  2⤵
  PID:2256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E4D93E2CD3A40184A9C679C11EDC25C0.mof
  2⤵
  PID:1056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E524F67A774C12EBBA2AC0F57BF33938.mof
  2⤵
  - Drops file in System32 directory
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E5D068F2F245DA1441228DED41D871BF.mof
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E5D6C9A65DA9AE649E8317A75C06E198.mof
  2⤵
  PID:2312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E6086DA9044149F6A624985412B8BAA6.mof
  2⤵
  PID:3016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E65B695F08B9EEF897D110161AAF326E.mof
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E74A466875015A38C572AC1A3B4F774E.mof
  2⤵
  PID:632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E860DDD7490FFB35C48288CE8E7C8D65.mof
  2⤵
  PID:268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E88C6850DE2F0CC0517AAF71EFF7E4AE.mof
  2⤵
  PID:1584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E96F8F23D7A801D8504391B5E2E3A3F0.mof
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\EC7D2FD0AD8EE062168F3E58D1A3CDA4.mof
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECCEC78ACEEAA571E4485A1A3E96A4C2.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECCED369BDF461A1B105963C3F3FD5B6.mof
  2⤵
  PID:2220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECDFB9E4F5941EF63DFB007D02610E24.mof
  2⤵
  PID:1544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\EEC4F93CD036A6E45D6FD265129F85C5.mof
  2⤵
  PID:1680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F1FAE81BF48CB59E19A1A345EFABE714.mof
  2⤵
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F5228D745C8184B4A57254494455ECB0.mof
  2⤵
  PID:1748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F543E05A4357CEE05B9488DA6C07067D.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F5BEE99426566AD5FD433DAB46B991C2.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F644552872028BB5127A6F0E7B587070.mof
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F85C3F4EB8E282B5D15E9FA90012AB45.mof
  2⤵
  PID:2660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F8CD42F0BD43C7051B83889D59706392.mof
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F8FBB3675EF3FB69283C9C42186E20E3.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F95F57395D6E4F99310D09374BF5AA36.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FA2C628102913B4350472BA9C99FDD3B.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FA30638CAB7DC067E5FDDBB4BAAF9549.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FB78554F9623FFCFAF8517D1382A1AE6.mof
  2⤵
  PID:1264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FE6ED8E301AAC0F2572E50BB9B42368D.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FE7DD380036BD93A59C38786492E170F.mof
  2⤵
  PID:292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FF2A2387AFA336F6A8BAE68F63DAF457.mof
  2⤵
  PID:2028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\aaclient.mfl
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\auxiliarydisplaycpl.mfl
  2⤵
  PID:1980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cimdmtf.mfl
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cimwin32.mfl
  2⤵
  - Drops file in System32 directory
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cli.mfl
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cliegaliases.mfl
  2⤵
  - Drops file in System32 directory
  PID:2300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\dsprov.mfl
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\filetrace.mfl
  2⤵
  PID:2156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\hbaapi.mfl
  2⤵
  PID:2844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\interop.mfl
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\irmon.mfl
  2⤵
  PID:1724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\iscsidsc.mfl
  2⤵
  PID:2304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\iscsiprf.mfl
  2⤵
  PID:1480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\krnlprov.mfl
  2⤵
  PID:2008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\l2gpstore.mfl
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:1744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\msi.mfl
  2⤵
  PID:1432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\mstsc.mfl
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\mstscax.mfl
  2⤵
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ncprov.mfl
  2⤵
  PID:2056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ntevt.mfl
  2⤵
  PID:240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\OfflineFilesWmiProvider.mfl
  2⤵
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-collab.mfl
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-mesh.mfl
  2⤵
  PID:368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-pnrp.mfl
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\PolicMan.mfl
  2⤵
  PID:2660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polproc.mfl
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polprocl.mfl
  2⤵
  - Drops file in System32 directory
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polprou.mfl
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\powermeterprovider.mfl
  2⤵
  PID:1840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\powerpolicyprovider.mfl
  2⤵
  PID:2200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\profileassociationprovider.mfl
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\RacWmiProv.mfl
  2⤵
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpcore.mfl
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpencom.mfl
  2⤵
  PID:1224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpinit.mfl
  2⤵
  PID:1368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpshell.mfl
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\regevent.mfl
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rsop.mfl
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ScrCons.mfl
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\secrcw32.mfl
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sensorscpl.mfl
  2⤵
  PID:2152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ServiceModel.mfl
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ServiceModel35.mfl
  2⤵
  PID:676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\smtpcons.mfl
  2⤵
  PID:1552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sppwmi.mfl
  2⤵
  PID:2920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sr.mfl
  2⤵
  PID:2084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\subscrpt.mfl
  2⤵
  PID:1584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\system.mfl
  2⤵
  PID:1236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\tsallow.mfl
  2⤵
  PID:972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\tscfgwmi.mfl
  2⤵
  PID:2192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\UserProfileWmiProvider.mfl
  2⤵
  PID:1116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\vds.mfl
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\vss.mfl
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WbemCons.mfl
  2⤵
  PID:2864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wcncsvc.mfl
  2⤵
  PID:1748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wfs.mfl
  2⤵
  PID:1140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WgxInstalledGame.mfl
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\whqlprov.mfl
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\win32_printer.mfl
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wininit.mfl
  2⤵
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\winlogon.mfl
  2⤵
  PID:1364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmi.mfl
  2⤵
  PID:2148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipcima.mfl
  2⤵
  - Drops file in System32 directory
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipdfs.mfl
  2⤵
  PID:2572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipdskq.mfl
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipicmp.mfl
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipiprt.mfl
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipjobj.mfl
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipsess.mfl
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmitimep.mfl
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmpnetwk.mfl
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wscenter.mfl
  2⤵
  PID:2244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WUDFx.mfl
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\xwizards.mfl
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\aaclient.mfl
  2⤵
  PID:2992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\auxiliarydisplaycpl.mfl
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
  2⤵
  - Drops file in System32 directory
  PID:2156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
  2⤵
  PID:2844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
  2⤵
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
  2⤵
  PID:3044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
  2⤵
  PID:2020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\irmon.mfl
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
  2⤵
  PID:2796
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
  2⤵
  PID:2368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
  2⤵
  PID:1592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
  2⤵
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-collab.mfl
  2⤵
  PID:2200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
  2⤵
  PID:952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
  2⤵
  PID:1332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
  2⤵
  PID:2044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
  2⤵
  PID:1368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powerpolicyprovider.mfl
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
  2⤵
  PID:1712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpcore.mfl
  2⤵
  PID:584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpencom.mfl
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
  2⤵
  - Drops file in System32 directory
  PID:696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
  2⤵
  PID:1096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
  2⤵
  - Drops file in System32 directory
  PID:1764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sensorscpl.mfl
  2⤵
  PID:832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
  2⤵
  PID:2780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
  2⤵
  PID:2524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\system.mfl
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
  2⤵
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
  2⤵
  PID:2396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
  2⤵
  - Drops file in System32 directory
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
  2⤵
  PID:2484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
  2⤵
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
  2⤵
  PID:1092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WgxInstalledGame.mfl
  2⤵
  PID:1832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
  2⤵
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
  2⤵
  PID:2480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
  2⤵
  PID:2816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
  2⤵
  PID:764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
  2⤵
  - Drops file in System32 directory
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
  2⤵
  - Drops file in System32 directory
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wscenter.mfl
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
  2⤵
  PID:2844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\aaclient.mfl
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\auxiliarydisplaycpl.mfl
  2⤵
  PID:436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cimdmtf.mfl
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cimwin32.mfl
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cli.mfl
  2⤵
  PID:960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cliegaliases.mfl
  2⤵
  PID:2748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\dsprov.mfl
  2⤵
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\filetrace.mfl
  2⤵
  PID:280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\hbaapi.mfl
  2⤵
  PID:1652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\interop.mfl
  2⤵
  PID:2636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\irmon.mfl
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\iscsidsc.mfl
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\iscsiprf.mfl
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\krnlprov.mfl
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\l2gpstore.mfl
  2⤵
  PID:2104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\msi.mfl
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\mstsc.mfl
  2⤵
  PID:2148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\mstscax.mfl
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ncprov.mfl
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ntevt.mfl
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\OfflineFilesWmiProvider.mfl
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-collab.mfl
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-mesh.mfl
  2⤵
  PID:2256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-pnrp.mfl
  2⤵
  PID:1504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\PolicMan.mfl
  2⤵
  PID:308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polproc.mfl
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polprocl.mfl
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polprou.mfl
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\powermeterprovider.mfl
  2⤵
  PID:764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\powerpolicyprovider.mfl
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\profileassociationprovider.mfl
  2⤵
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\RacWmiProv.mfl
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpcore.mfl
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpencom.mfl
  2⤵
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpinit.mfl
  2⤵
  PID:2304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpshell.mfl
  2⤵
  PID:864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\regevent.mfl
  2⤵
  PID:1764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rsop.mfl
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ScrCons.mfl
  2⤵
  PID:972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\secrcw32.mfl
  2⤵
  PID:960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sensorscpl.mfl
  2⤵
  PID:2748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ServiceModel.mfl
  2⤵
  PID:2780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ServiceModel35.mfl
  2⤵
  PID:280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\smtpcons.mfl
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sppwmi.mfl
  2⤵
  PID:2792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sr.mfl
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\subscrpt.mfl
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\system.mfl
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\tsallow.mfl
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\tscfgwmi.mfl
  2⤵
  PID:2040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\UserProfileWmiProvider.mfl
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\vds.mfl
  2⤵
  PID:2596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\vss.mfl
  2⤵
  PID:1164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WbemCons.mfl
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wcncsvc.mfl
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wfs.mfl
  2⤵
  PID:1332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WgxInstalledGame.mfl
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\whqlprov.mfl
  2⤵
  PID:2584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\win32_printer.mfl
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wininit.mfl
  2⤵
  PID:840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\winlogon.mfl
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipcima.mfl
  2⤵
  PID:1156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipdfs.mfl
  2⤵
  PID:1760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipdskq.mfl
  2⤵
  PID:2180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipicmp.mfl
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipiprt.mfl
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipjobj.mfl
  2⤵
  PID:632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipsess.mfl
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmitimep.mfl
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmpnetwk.mfl
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wscenter.mfl
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WUDFx.mfl
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\xwizards.mfl
  2⤵
  PID:1900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\aaclient.mfl
  2⤵
  PID:1648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\auxiliarydisplaycpl.mfl
  2⤵
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cimdmtf.mfl
  2⤵
  PID:2524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cimwin32.mfl
  2⤵
  PID:936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cli.mfl
  2⤵
  PID:2056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cliegaliases.mfl
  2⤵
  PID:2268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\dsprov.mfl
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\filetrace.mfl
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\hbaapi.mfl
  2⤵
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\interop.mfl
  2⤵
  PID:2104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\irmon.mfl
  2⤵
  PID:3032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\iscsidsc.mfl
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\iscsiprf.mfl
  2⤵
  PID:2332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\krnlprov.mfl
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\l2gpstore.mfl
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\msi.mfl
  2⤵
  PID:292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\mstsc.mfl
  2⤵
  PID:2508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\mstscax.mfl
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ncprov.mfl
  2⤵
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ntevt.mfl
  2⤵
  PID:2836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\OfflineFilesWmiProvider.mfl
  2⤵
  - Drops file in System32 directory
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-collab.mfl
  2⤵
  PID:1156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-mesh.mfl
  2⤵
  PID:964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-pnrp.mfl
  2⤵
  PID:1760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\PolicMan.mfl
  2⤵
  - Drops file in System32 directory
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polproc.mfl
  2⤵
  PID:844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polprocl.mfl
  2⤵
  PID:676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polprou.mfl
  2⤵
  PID:1060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\powermeterprovider.mfl
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\powerpolicyprovider.mfl
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\profileassociationprovider.mfl
  2⤵
  PID:1236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\RacWmiProv.mfl
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpcore.mfl
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpencom.mfl
  2⤵
  PID:1752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpinit.mfl
  2⤵
  PID:1940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpshell.mfl
  2⤵
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\regevent.mfl
  2⤵
  PID:540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rsop.mfl
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ScrCons.mfl
  2⤵
  PID:240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\secrcw32.mfl
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sensorscpl.mfl
  2⤵
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ServiceModel.mfl
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ServiceModel35.mfl
  2⤵
  - Drops file in System32 directory
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\smtpcons.mfl
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sppwmi.mfl
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sr.mfl
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\subscrpt.mfl
  2⤵
  PID:2204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\system.mfl
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\tsallow.mfl
  2⤵
  PID:1960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\tscfgwmi.mfl
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\UserProfileWmiProvider.mfl
  2⤵
  PID:1604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\vds.mfl
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\vss.mfl
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WbemCons.mfl
  2⤵
  PID:1968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wcncsvc.mfl
  2⤵
  PID:1368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wfs.mfl
  2⤵
  PID:868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WgxInstalledGame.mfl
  2⤵
  PID:1712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\whqlprov.mfl
  2⤵
  PID:764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\win32_printer.mfl
  2⤵
  PID:2452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wininit.mfl
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\winlogon.mfl
  2⤵
  PID:912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmi.mfl
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipcima.mfl
  2⤵
  PID:2708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipdfs.mfl
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipdskq.mfl
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipicmp.mfl
  2⤵
  - Drops file in System32 directory
  PID:1584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipiprt.mfl
  2⤵
  - Drops file in System32 directory
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipjobj.mfl
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipsess.mfl
  2⤵
  PID:2176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmitimep.mfl
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmpnetwk.mfl
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wscenter.mfl
  2⤵
  PID:908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WUDFx.mfl
  2⤵
  PID:884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\xwizards.mfl
  2⤵
  PID:548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\aaclient.mfl
  2⤵
  PID:2268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\auxiliarydisplaycpl.mfl
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cimdmtf.mfl
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cimwin32.mfl
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cli.mfl
  2⤵
  - Drops file in System32 directory
  PID:1904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cliegaliases.mfl
  2⤵
  PID:592
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\dsprov.mfl
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\filetrace.mfl
  2⤵
  PID:1832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\hbaapi.mfl
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\interop.mfl
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\irmon.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\iscsidsc.mfl
  2⤵
  PID:2044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\iscsiprf.mfl
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\krnlprov.mfl
  2⤵
  PID:1124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\l2gpstore.mfl
  2⤵
  PID:3048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:2836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\msi.mfl
  2⤵
  - Drops file in System32 directory
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\mstsc.mfl
  2⤵
  PID:2464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\mstscax.mfl
  2⤵
  PID:2080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ncprov.mfl
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ntevt.mfl
  2⤵
  - Drops file in System32 directory
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\OfflineFilesWmiProvider.mfl
  2⤵
  PID:912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-collab.mfl
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-mesh.mfl
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-pnrp.mfl
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\PolicMan.mfl
  2⤵
  PID:3044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polproc.mfl
  2⤵
  PID:1744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polprocl.mfl
  2⤵
  - Drops file in System32 directory
  PID:972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polprou.mfl
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\powermeterprovider.mfl
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\powerpolicyprovider.mfl
  2⤵
  PID:2176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\profileassociationprovider.mfl
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\RacWmiProv.mfl
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpcore.mfl
  2⤵
  PID:1160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpencom.mfl
  2⤵
  PID:2288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpinit.mfl
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpshell.mfl
  2⤵
  - Drops file in System32 directory
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\regevent.mfl
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rsop.mfl
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ScrCons.mfl
  2⤵
  PID:2840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\secrcw32.mfl
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sensorscpl.mfl
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ServiceModel.mfl
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ServiceModel35.mfl
  2⤵
  PID:1692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\smtpcons.mfl
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sppwmi.mfl
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sr.mfl
  2⤵
  - Drops file in System32 directory
  PID:1972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\subscrpt.mfl
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\system.mfl
  2⤵
  PID:2256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\tsallow.mfl
  2⤵
  - Drops file in System32 directory
  PID:1180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\tscfgwmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\UserProfileWmiProvider.mfl
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\vds.mfl
  2⤵
  PID:1156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\vss.mfl
  2⤵
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\WbemCons.mfl
  2⤵
  PID:2644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\wcncsvc.mfl
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\wfs.mfl
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\WgxInstalledGame.mfl
  2⤵
  PID:612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\whqlprov.mfl
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
04cfbb517f86f737a4cffd80310728ea

SHA1
f607e5e02dcd2b5c93a320b9b04f6b2fa9d8f904

SHA256
5baf0b3f557d94f7eb2c70dce6a9bcc5fd1dfb0bf21050ba7e50fa508ffe4680

SHA512
89bb6a23118a67f67854515c707d8202f031c89d932d1c99cddaa6edc901852ddd36f2a6c312feaae5a14f5285945bdddf40283f0745324492c97828714a059a

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
205ea85aa61f7cb93dd45ed733aad1b4

SHA1
39ee534f562b86d0a4a2dda8ff378c7ca34bb480

SHA256
6904a7e830b195a9db9f6f73f4d77fdd9d4de009d07b2e3739a844b328830482

SHA512
ea7285658288bc862cd3624cc9208b91708a93a4c20532bb7b74aef54f64bbb10765bea00abf21cc2a0290135eb3d38672ad69c9c4267e04cec9ffa616392319

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6952af69761655c7f54fa038321f7e57

SHA1
91717e2b9dba46d6742c38550a2bedb0c75a1952

SHA256
d747b499573afbd3b9918e720a486c3bf40126caf84e60cbb3548a7d7977252e

SHA512
14e66bec7287b9ff3cfbdb26c45f391f7a65ec86f3a9efb0d36800e787056c19fe2df9985fc989f0a96f472aa4567d03649ef880207a65723250bfebf77eaa7b

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
8f0a5ade4bc955fc90ca025345b779fe

SHA1
248f1b20858a8a84bcf8a40a5ef0782e49f0c3fd

SHA256
0a5029c7ac243bce9d1ee331a88367d291a555ac1789c2c306428c8f5567a686

SHA512
df4893353aaf3f66867ba21617c168be33bf20f8e32ca12d5c3466b207249d711c0440073d79e5fe69a419d46d712b5907fad10d70336392222c450b62e552c1

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
eeeae10bd8cfba7c451e0766c32a30bf

SHA1
580d7e70f244c1214dd758c30e2aa78d31d877a8

SHA256
f83a19872ddaad6d76d2b2fb48bcd57e6ae2f112a30a31372f4e565734246514

SHA512
9d763cac4cee368aef9793bd1a83fc01bbc76d6d8a48077e026c9e037fff6ed729f9e62a7f6e6610ecbb64d0f3330f405eca8d0ad058450f3166f5161f51d1d6

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
1d926bd664fd45bc465bf1a06de35677

SHA1
b2cb97d06020236f56ebe83a2ecec8a73f906f89

SHA256
b109e93167c6b73d70ba00708c3f99e755e95250c6ef8d9079990340fc413f35

SHA512
7108ac28fb303ec873c8df6941b0af3c743e7f7af5c561e0340456f79d9f3a2a958150dcc03fc93ff14642bad265fb842e37d4aaa8ed5e27789de7f74ca13e22

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
6c046ba82df3783ba28fab7934a2bb8a

SHA1
e74fe3dc0e6e90c3011da23059967ae506117d77

SHA256
24c9b50b751602d17637e5ffa342f9c4ddc6c8ad12402af8050e540aeffad06b

SHA512
387962657a4a83a0cef0b846aaf253fcd18fb33263411cf39118b9de8fafe5a43003667a508c86ed11f6eb4e23a8c66715cd4712815709ae081cd47ff2bd5d15

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
715KB

MD5
26d511837f258f9be66f93facb9d8996

SHA1
a56c0105eb5b974c89a1c6310f1e687de7d93a77

SHA256
227964570f5ed7c11922dcb348f83c09b6747a334601319bf5a0432c10567555

SHA512
1f9c333acd523c677a54af414d5f4e9af871cd7173316819287e6ef7f0101c2f3ae78e44fd53f0f4bfe5a18c00dee725dc7534f7d9ccaf88f3215f0eaf59417e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
715KB

MD5
f0844e3de771b9db4473aadc7083dcb0

SHA1
152c2a0eda54f7614610659e34c428c1a8e484e9

SHA256
49a38617ac3d189e7045f52af786a3589c8aeeff199d12fb21d7e1e3d73b5e3c

SHA512
65c11eb4d858c8488011023efc605f5a5d7ae8f54ac0f938604e4292ec10d43b5be0d29c04e8f797534ba30216aa2a4355465a7f560c143ebc34767c5b5eb363

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
710KB

MD5
872605134c98dd5287e46cd57fce2b64

SHA1
d531a5254f96720d7457a24afa9b473ea3b7ece7

SHA256
303a12529946f63830beaadd0b747d1de63263fd55a5571baa6e4d079f148794

SHA512
42397c8b8a96ae5b19cecaf6e1dc9bb9851a3e0a362696fe115e4eb060e9ef2a6af5993bf75f60af8335174fa39c3abd112ca2d054bc135423bfbbf12e8d717a

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
b0c81f960949f2caa2673c5df761bdcd

SHA1
1f5183a25ceac718cb75b90da124c7f3bb8e5b13

SHA256
8f6ef6dd0abbdf8c83379b1e8c66fd5012077d28d9a620d440c77534ce5efc53

SHA512
6c685900c0339ebed90764fa052d1a4e59dc332c0a524ce6f36f92bf918bb9dcdcd38ddf2ed51f3e8baa89f824649086ec55df231504f9f51ed1f095160769ab

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads