cerber | 4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Analysis

max time kernel
736s
max time network
719s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaners.zip
Size

4.3MB
MD5

89daae512bcf605f191336ef8a461b75
SHA1

747f3997bf80e6083c2a4a8032262c440ae4de8d
SHA256

4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e
SHA512

7c280cb9a325311a1e8b575bcb99a26590db2435633a78da3383d177f4c93d1744d842e8c792b921d80aef7305b58fa83f5caa784466d9393d15024827611ed7
SSDEEP

98304:/Bk7AtkbjSTuW+wI9a7OCq4MrdN0wIvQxk5XxeJMWrd6B9JO:JRW2ar4X/MP0tvOR5SPO

Score

10^/10

cerber evasion execution persistence privilege_escalation ransomware spyware stealer themida

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
4444	Spoofer.exe
1588	CupFixerx64.exe
4620	CupFixerx32.EXE
5012	CupFixerx64.exe
4424	CupFixerx32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000001dac8-9385.dat	themida

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\0720D9FC0F3CE94CCD335F8433026C89.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1DC2C95229D95D90A3805FA9F06B41C2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2C9C1984F2B70D09B7AB9DBCD2C5DFA3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\85374C59A58BC4DD6EE11E38AF4AC4EC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5C7610DB4A9C098F3962CAAD6BA8E4D8.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\AFD8B7D322EE2A1CB2BAF41EC0ADF626.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6CC07C0289722A5549B9C30F76C249FF.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\67370BADC943F6B7B1B4F439836513A4.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\C9824ADC136E4798F4F76A6D48117DA8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5EC0A7251343D4B7BEC3433678C05FBD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB3146B20DA7C2E4A0823DDFDC608499.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1348239330EA577EA6772675FA01A277.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\73A48AD552FEB3426659A2CA5F04DD56.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EAE731B1CFFF749C3A1B72EF0CEC7C59.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B4D19FC244B76FAB409A3E64E4631B5A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2917088B74A4F3A42391D9615CE677B6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\35BB8CAA7877397A4B61EC9571EB8D58.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0970F055BBA0661C7AC91B7E8C24CA3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4BAA6C97BAFFF89E4766A6C005936213.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3B72DD6E3EC71817FF6A001F937A7FBD.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\C3CA0FC7DA1F7810A080F401E0C9D111.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5662B680A2DE579FC7CEAEE7AFF02255.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\49570CF88DED3D22D2855A44F0FD36EC.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\9476FC534A628F39C9E25CA2F2B7B45E.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\335BFF0143AA9C8773F43BCD8341BC65.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\60B27498E9CF2F77D7B3B07ECEAC41BA.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\03DE10D374EFFB94AB99BF6CE6A8238D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\12233E25C50AF3A2E910EC7C056C6EDB.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1099FEEE138E2E31F814A055BBBFE886.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\F57B1568690BC96B837BB77BDC299C92.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\2481BD368BB01085863E70D5441806EB.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\F8E338E33AC9A128161D8776F540DE3F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\186BE2C4D6E28AC17ACEC4D7E0AE954A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7A4CB0AABC494B5EF617433CD14FFE40.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\9609E7F8420C3D72112ABDD53C1C4F6A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\86AD2F7FA2D484F977B368469AD09098.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\05C3A1B4103106E2A6595CB64A18450B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5D30F5D5A8D8609DF304FE058934E6DD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\61EE6F125EE84F973323047E63234C4B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A0925B7CAE67304DB8A7D8B009B810D1.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\678BF84C9AFA9DDD4DD5C98EE9AA5AB0.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\8BF0E140F8F40D230143B569A1BAE507.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\7291B3778FC5B202D807DDCFC6FF3AD5.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6032686C573E67C19FEC6BD39BFF4F49.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D7B94FF620323D536A3B99CCAA6B78DA.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\F5CDD48A01B87D4CA42A123F9669B689.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\18BDF5545DA4DA075E608B608094BD1E.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\37E6D5BCA82C4A6E42A5411612538CD4.mof	mofcomp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4352	sc.exe
3012	sc.exe
1112	sc.exe
3272	sc.exe
2020	sc.exe
1244	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found

Kills process with taskkill 13 IoCs

evasion

pid	Process
1332	taskkill.exe
1972	taskkill.exe
4432	taskkill.exe
396	taskkill.exe
2280	taskkill.exe
528	taskkill.exe
4648	taskkill.exe
4264	taskkill.exe
404	taskkill.exe
3040	taskkill.exe
2680	taskkill.exe
3476	taskkill.exe
2380	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\AccessPermission = 010004804800000054000000000000001400000002003400020000000100180001000000010200000000000520000000210200000000140001000000010100000000000512000000010100000000000512000000010100000000000512000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv\CurVer\ = "JobObjLimitInfoProv.JobObjLimitInfoProv.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{7F72CC7A-74A0-45B4-909C-14FB8186DD7E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\winmgmt	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\ = "WBEM Scripting Object Path 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA6-7508-11D1-AD94-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemObjectPath.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemDateTime.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\ = "UserConfigurationProvider Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6D7A4B0E-66D5-4AC3-A7ED-0189E8CF5E77}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631F7D96-D993-11D2-B339-00105A1F4AAF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35B78F79-B973-48C8-A045-CAEC732A35D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1B9E04A-3226-11D2-883E-00104B2AFB46}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88F3781C-6902-4647-9A6B-A74F450AF861}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCF7A6F2-3300-4386-9A4F-0DD4E3226507}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A359DEC5-E813-4834-8A2A-BA7F1D777D76}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}\ProxyStubClsid32	regsvr32.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

pid	Process
2432	Process not Found
4628	Process not Found
5068	Process not Found
4208	Process not Found
3224	Process not Found
3488	Process not Found
4012	Process not Found
4992	Process not Found
4232	Process not Found
4128	Process not Found
4620	Process not Found
4884	Process not Found
2836	Process not Found
2448	Process not Found
5052	Process not Found
2244	Process not Found
5076	Process not Found
2332	Process not Found
4900	Process not Found
3776	Process not Found
1460	Process not Found
3040	Process not Found
1808	Process not Found
4988	Process not Found
2640	Process not Found
2536	Process not Found
1648	Process not Found
4132	Process not Found
2396	Process not Found

Runs net.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4924	7zG.exe
Token: 35	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeSecurityPrivilege	3444	mofcomp.exe
Token: SeAssignPrimaryTokenPrivilege	2324	svchost.exe
Token: SeIncreaseQuotaPrivilege	2324	svchost.exe
Token: SeSecurityPrivilege	2324	svchost.exe
Token: SeTakeOwnershipPrivilege	2324	svchost.exe
Token: SeLoadDriverPrivilege	2324	svchost.exe
Token: SeSystemtimePrivilege	2324	svchost.exe
Token: SeBackupPrivilege	2324	svchost.exe
Token: SeRestorePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeSystemEnvironmentPrivilege	2324	svchost.exe
Token: SeUndockPrivilege	2324	svchost.exe
Token: SeManageVolumePrivilege	2324	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2324	svchost.exe
Token: SeIncreaseQuotaPrivilege	2324	svchost.exe
Token: SeSecurityPrivilege	2324	svchost.exe
Token: SeTakeOwnershipPrivilege	2324	svchost.exe
Token: SeLoadDriverPrivilege	2324	svchost.exe
Token: SeSystemtimePrivilege	2324	svchost.exe
Token: SeBackupPrivilege	2324	svchost.exe
Token: SeRestorePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeSystemEnvironmentPrivilege	2324	svchost.exe
Token: SeUndockPrivilege	2324	svchost.exe
Token: SeManageVolumePrivilege	2324	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2324	svchost.exe
Token: SeIncreaseQuotaPrivilege	2324	svchost.exe
Token: SeSecurityPrivilege	2324	svchost.exe
Token: SeTakeOwnershipPrivilege	2324	svchost.exe
Token: SeLoadDriverPrivilege	2324	svchost.exe
Token: SeSystemtimePrivilege	2324	svchost.exe
Token: SeBackupPrivilege	2324	svchost.exe
Token: SeRestorePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeSystemEnvironmentPrivilege	2324	svchost.exe
Token: SeUndockPrivilege	2324	svchost.exe
Token: SeManageVolumePrivilege	2324	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2324	svchost.exe
Token: SeIncreaseQuotaPrivilege	2324	svchost.exe
Token: SeSecurityPrivilege	2324	svchost.exe
Token: SeTakeOwnershipPrivilege	2324	svchost.exe
Token: SeLoadDriverPrivilege	2324	svchost.exe
Token: SeSystemtimePrivilege	2324	svchost.exe
Token: SeBackupPrivilege	2324	svchost.exe
Token: SeRestorePrivilege	2324	svchost.exe
Token: SeShutdownPrivilege	2324	svchost.exe
Token: SeSystemEnvironmentPrivilege	2324	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1588	4444	Spoofer.exe	98
PID 4444 wrote to memory of 1588	4444	Spoofer.exe	98
PID 4444 wrote to memory of 4620	4444	Spoofer.exe	99
PID 4444 wrote to memory of 4620	4444	Spoofer.exe	99
PID 4444 wrote to memory of 5012	4444	Spoofer.exe	100
PID 4444 wrote to memory of 5012	4444	Spoofer.exe	100
PID 4444 wrote to memory of 4424	4444	Spoofer.exe	101
PID 4444 wrote to memory of 4424	4444	Spoofer.exe	101
PID 4444 wrote to memory of 2672	4444	Spoofer.exe	102
PID 4444 wrote to memory of 2672	4444	Spoofer.exe	102
PID 4444 wrote to memory of 4032	4444	Spoofer.exe	103
PID 4444 wrote to memory of 4032	4444	Spoofer.exe	103
PID 4032 wrote to memory of 2200	4032	cmd.exe	104
PID 4032 wrote to memory of 2200	4032	cmd.exe	104
PID 4032 wrote to memory of 3476	4032	cmd.exe	105
PID 4032 wrote to memory of 3476	4032	cmd.exe	105
PID 4032 wrote to memory of 396	4032	cmd.exe	107
PID 4032 wrote to memory of 396	4032	cmd.exe	107
PID 4032 wrote to memory of 2380	4032	cmd.exe	108
PID 4032 wrote to memory of 2380	4032	cmd.exe	108
PID 4032 wrote to memory of 2280	4032	cmd.exe	109
PID 4032 wrote to memory of 2280	4032	cmd.exe	109
PID 4032 wrote to memory of 1972	4032	cmd.exe	110
PID 4032 wrote to memory of 1972	4032	cmd.exe	110
PID 4032 wrote to memory of 4264	4032	cmd.exe	111
PID 4032 wrote to memory of 4264	4032	cmd.exe	111
PID 4032 wrote to memory of 404	4032	cmd.exe	112
PID 4032 wrote to memory of 404	4032	cmd.exe	112
PID 4032 wrote to memory of 3040	4032	cmd.exe	113
PID 4032 wrote to memory of 3040	4032	cmd.exe	113
PID 4032 wrote to memory of 528	4032	cmd.exe	114
PID 4032 wrote to memory of 528	4032	cmd.exe	114
PID 4032 wrote to memory of 2680	4032	cmd.exe	115
PID 4032 wrote to memory of 2680	4032	cmd.exe	115
PID 4032 wrote to memory of 4432	4032	cmd.exe	116
PID 4032 wrote to memory of 4432	4032	cmd.exe	116
PID 4032 wrote to memory of 4648	4032	cmd.exe	117
PID 4032 wrote to memory of 4648	4032	cmd.exe	117
PID 4032 wrote to memory of 1332	4032	cmd.exe	118
PID 4032 wrote to memory of 1332	4032	cmd.exe	118
PID 4032 wrote to memory of 3012	4032	cmd.exe	119
PID 4032 wrote to memory of 3012	4032	cmd.exe	119
PID 4032 wrote to memory of 1112	4032	cmd.exe	120
PID 4032 wrote to memory of 1112	4032	cmd.exe	120
PID 4032 wrote to memory of 3272	4032	cmd.exe	121
PID 4032 wrote to memory of 3272	4032	cmd.exe	121
PID 4032 wrote to memory of 1244	4032	cmd.exe	122
PID 4032 wrote to memory of 1244	4032	cmd.exe	122
PID 4032 wrote to memory of 2020	4032	cmd.exe	123
PID 4032 wrote to memory of 2020	4032	cmd.exe	123
PID 4032 wrote to memory of 2012	4032	cmd.exe	124
PID 4032 wrote to memory of 2012	4032	cmd.exe	124
PID 2012 wrote to memory of 4584	2012	net.exe	125
PID 2012 wrote to memory of 4584	2012	net.exe	125
PID 4032 wrote to memory of 1184	4032	cmd.exe	126
PID 4032 wrote to memory of 1184	4032	cmd.exe	126
PID 4032 wrote to memory of 2516	4032	cmd.exe	127
PID 4032 wrote to memory of 2516	4032	cmd.exe	127
PID 4032 wrote to memory of 2800	4032	cmd.exe	128
PID 4032 wrote to memory of 2800	4032	cmd.exe	128
PID 4032 wrote to memory of 4932	4032	cmd.exe	129
PID 4032 wrote to memory of 4932	4032	cmd.exe	129
PID 4032 wrote to memory of 2204	4032	cmd.exe	130
PID 4032 wrote to memory of 2204	4032	cmd.exe	130

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cleaners.zip
1⤵
PID:1376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\cleaners\" -spe -an -ai#7zMap3581:96:7zEvent25019
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4924

C:\Users\Admin\AppData\Local\Temp\cleaners\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\cleaners\Spoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.sys
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.sys
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.exe
  C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.exe C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\gsoftgmx64.sys
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx32.EXE
  C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx32.EXE C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\gsoftgmx64.sys
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cleaners\cleaners\cleaner.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im UnrealCEFSubProcess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CEFProcess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\system32\sc.exe
    Sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:3012
- - C:\Windows\system32\sc.exe
    Sc stop FortniteClient-Win64-Shipping_EAC
    3⤵
    - Launches sc.exe
    PID:1112
- - C:\Windows\system32\sc.exe
    Sc stop BattleEye
    3⤵
    - Launches sc.exe
    PID:3272
- - C:\Windows\system32\sc.exe
    Sc stop FortniteClient-Win64-Shipping_BE
    3⤵
    - Launches sc.exe
    PID:1244
- - C:\Windows\system32\sc.exe
    sc config winmgmt start= disabled
    3⤵
    - Launches sc.exe
    PID:2020
- - C:\Windows\system32\net.exe
    net stop winmgmt /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b *.dll
    3⤵
    PID:1184
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s appbackgroundtask.dll
    3⤵
    PID:2516
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s cimwin32.dll
    3⤵
    PID:2800
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s DMWmiBridgeProv.dll
    3⤵
    PID:4932
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s DMWmiBridgeProv1.dll
    3⤵
    PID:2204
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dnsclientcim.dll
    3⤵
    PID:4440
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dnsclientpsprovider.dll
    3⤵
    PID:4860
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Dscpspluginwkr.dll
    3⤵
    PID:2076
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s dsprov.dll
    3⤵
    - Modifies registry class
    PID:5036
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s EmbeddedLockdownWmi.dll
    3⤵
    PID:4040
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s esscli.dll
    3⤵
    PID:4232
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s EventTracingManagement.dll
    3⤵
    PID:5084
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s fastprox.dll
    3⤵
    - Modifies registry class
    PID:2396
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ipmiprr.dll
    3⤵
    PID:2804
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ipmiprv.dll
    3⤵
    - Modifies registry class
    PID:3716
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s KrnlProv.dll
    3⤵
    - Modifies registry class
    PID:3108
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MDMAppProv.dll
    3⤵
    PID:3936
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MDMSettingsProv.dll
    3⤵
    PID:4260
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
    3⤵
    PID:4088
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Microsoft.Uev.AgentWmi.dll
    3⤵
    - Modifies registry class
    PID:4396
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s MMFUtil.dll
    3⤵
    PID:3184
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s mofd.dll
    3⤵
    - Modifies registry class
    PID:3856
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s mofinstall.dll
    3⤵
    PID:1596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s msdtcwmi.dll
    3⤵
    PID:1204
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s msiprov.dll
    3⤵
    PID:3352
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NCProv.dll
    3⤵
    PID:4560
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ndisimplatcim.dll
    3⤵
    PID:5016
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetAdapterCim.dll
    3⤵
    PID:3736
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netdacim.dll
    3⤵
    PID:4924
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetEventPacketCapture.dll
    3⤵
    PID:4352
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netnccim.dll
    3⤵
    PID:2432
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetPeerDistCim.dll
    3⤵
    PID:1664
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netswitchteamcim.dll
    3⤵
    PID:4100
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s NetTCPIP.dll
    3⤵
    PID:4788
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s netttcim.dll
    3⤵
    PID:4256
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s nlmcim.dll
    3⤵
    PID:1584
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ntevt.dll
    3⤵
    - Modifies registry class
    PID:4844
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s PolicMan.dll
    3⤵
    PID:4524
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s PrintManagementProvider.dll
    3⤵
    PID:4668
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s qoswmi.dll
    3⤵
    PID:4852
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s RacWmiProv.dll
    3⤵
    PID:3512
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s repdrvfs.dll
    3⤵
    PID:1200
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s schedprov.dll
    3⤵
    PID:3984
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s ServDeps.dll
    3⤵
    - Modifies registry class
    PID:1588
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s SMTPCons.dll
    3⤵
    PID:4448
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s stdprov.dll
    3⤵
    - Modifies registry class
    PID:4596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vdswmi.dll
    3⤵
    PID:1640
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s viewprov.dll
    3⤵
    PID:2956
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vpnclientpsprovider.dll
    3⤵
    PID:2200
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s vsswmi.dll
    3⤵
    PID:2184
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcntl.dll
    3⤵
    PID:3300
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcons.dll
    3⤵
    - Modifies registry class
    PID:5024
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemcore.dll
    3⤵
    - Modifies registry class
    PID:396
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemdisp.dll
    3⤵
    - Modifies registry class
    PID:4652
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemess.dll
    3⤵
    PID:2380
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemprox.dll
    3⤵
    - Modifies registry class
    PID:1496
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wbemsvc.dll
    3⤵
    - Modifies registry class
    PID:2896
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WdacWmiProv.dll
    3⤵
    PID:2536
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wfascim.dll
    3⤵
    PID:544
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Win32_EncryptableVolume.dll
    3⤵
    PID:1860
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s Win32_Tpm.dll
    3⤵
    PID:2976
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WinMgmtR.dll
    3⤵
    PID:404
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiApRes.dll
    3⤵
    PID:1276
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiApRpl.dll
    3⤵
    - Drops file in Windows directory
    PID:3040
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMICOOKR.dll
    3⤵
    PID:2108
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiDcPrv.dll
    3⤵
    PID:2656
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipcima.dll
    3⤵
    - Modifies registry class
    PID:2544
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipdfs.dll
    3⤵
    - Modifies registry class
    PID:1052
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmipdskq.dll
    3⤵
    PID:3000
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPerfClass.dll
    3⤵
    - Modifies registry class
    PID:4360
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPerfInst.dll
    3⤵
    - Modifies registry class
    PID:4260
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPICMP.dll
    3⤵
    PID:4152
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPIPRT.dll
    3⤵
    - Modifies registry class
    PID:888
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPJOBJ.dll
    3⤵
    - Modifies registry class
    PID:4220
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmiprov.dll
    3⤵
    - Modifies registry class
    PID:3304
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WmiPrvSD.dll
    3⤵
    PID:2156
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIPSESS.dll
    3⤵
    PID:1204
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s WMIsvc.dll
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry class
    PID:4980
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmitimep.dll
    3⤵
    PID:2424
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s wmiutils.dll
    3⤵
    - Modifies registry class
    PID:2256
- - C:\Windows\System32\wbem\WmiPrvSE.exe
    wmiprvse /regserver
    3⤵
    PID:2384
- - C:\Windows\System32\wbem\WinMgmt.exe
    winmgmt /regserver
    3⤵
    PID:4888
- - C:\Windows\system32\sc.exe
    sc config winmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:4352
- - C:\Windows\system32\net.exe
    net start winmgmt
    3⤵
    PID:1128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start winmgmt
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
    3⤵
    PID:768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\aeinv.mof
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AgentWmi.mof
    3⤵
    PID:1160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
    3⤵
    PID:1572
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
    3⤵
    PID:2140
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
    3⤵
    PID:2724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AuditRsop.mof
    3⤵
    PID:3996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\authfwcfg.mof
    3⤵
    PID:4356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\bcd.mof
    3⤵
    PID:2500
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
    3⤵
    PID:2336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cimdmtf.mof
    3⤵
    PID:4644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cimwin32.mof
    3⤵
    PID:392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\CIWmi.mof
    3⤵
    PID:1244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\classlog.mof
    3⤵
    PID:3392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cli.mof
    3⤵
    PID:1172
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\cliegaliases.mof
    3⤵
    PID:1488
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ddp.mof
    3⤵
    PID:4584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dimsjob.mof
    3⤵
    PID:4452
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dimsroam.mof
    3⤵
    PID:1412
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
    3⤵
    PID:4052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
    3⤵
    PID:2548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
    3⤵
    PID:2220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
    3⤵
    PID:3732
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
    3⤵
    PID:3000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
    3⤵
    PID:4152
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
    3⤵
    PID:244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\drvinst.mof
    3⤵
    PID:180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscCore.mof
    3⤵
    PID:3608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
    3⤵
    PID:4888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dscproxy.mof
    3⤵
    PID:1864
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\DscTimer.mof
    3⤵
    PID:1404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\dsprov.mof
    3⤵
    PID:1160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\eaimeapi.mof
    3⤵
    PID:4312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
    3⤵
    PID:3192
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
    3⤵
    PID:3504
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
    3⤵
    PID:2380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdPHost.mof
    3⤵
    PID:2536
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdrespub.mof
    3⤵
    PID:3832
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdSSDP.mof
    3⤵
    PID:3708
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdWNet.mof
    3⤵
    PID:3796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fdWSD.mof
    3⤵
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\filetrace.mof
    3⤵
    PID:4600
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\firewallapi.mof
    3⤵
    PID:3152
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
    3⤵
    PID:4464
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\FunDisc.mof
    3⤵
    PID:1556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\fwcfg.mof
    3⤵
    PID:3584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\hbaapi.mof
    3⤵
    PID:2480
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\hnetcfg.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
    3⤵
    PID:4232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
    3⤵
    PID:2656
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\interop.mof
    3⤵
    PID:1052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
    3⤵
    PID:4816
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ipmiprv.mof
    3⤵
    PID:1444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
    3⤵
    PID:4560
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsidsc.mof
    3⤵
    PID:1128
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsihba.mof
    3⤵
    PID:4380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiprf.mof
    3⤵
    PID:4496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsirem.mof
    3⤵
    PID:4208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
    3⤵
    PID:4116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
    3⤵
    PID:1572
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\kerberos.mof
    3⤵
    PID:4300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\krnlprov.mof
    3⤵
    PID:4996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\L2SecHC.mof
    3⤵
    PID:2716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lltdio.mof
    3⤵
    PID:544
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lltdsvc.mof
    3⤵
    PID:1688
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\lsasrv.mof
    3⤵
    PID:1836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mblctr.mof
    3⤵
    PID:460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
    3⤵
    PID:5020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
    3⤵
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
    3⤵
    PID:2996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
    3⤵
    PID:1992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
    3⤵
    PID:3080
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
    3⤵
    PID:2516
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
    3⤵
    PID:4584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
    3⤵
    PID:2800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mispace.mof
    3⤵
    PID:4628
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
    3⤵
    PID:4948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mmc.mof
    3⤵
    PID:1808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mountmgr.mof
    3⤵
    PID:4304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpeval.mof
    3⤵
    PID:3704
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpsdrv.mof
    3⤵
    PID:4076
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mpssvc.mof
    3⤵
    PID:3856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
    3⤵
    PID:4880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msfeeds.mof
    3⤵
    PID:508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
    3⤵
    PID:3512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msi.mof
    3⤵
    PID:3984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msiscsi.mof
    3⤵
    PID:5024
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
    3⤵
    PID:1472
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mstsc.mof
    3⤵
    PID:2840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mstscax.mof
    3⤵
    PID:2104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\msv1_0.mof
    3⤵
    PID:740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\mswmdm.mof
    3⤵
    PID:4576
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ncprov.mof
    3⤵
    PID:3548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ncsi.mof
    3⤵
    PID:620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ndistrace.mof
    3⤵
    PID:4656
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
    3⤵
    PID:4420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
    3⤵
    PID:3404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
    3⤵
    PID:2232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
    3⤵
    PID:3252
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netdacim.mof
    3⤵
    PID:3540
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
    3⤵
    PID:4856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
    3⤵
    PID:2800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netnccim.mof
    3⤵
    PID:2420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
    3⤵
    PID:2196
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
    3⤵
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
    3⤵
    PID:3620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netprofm.mof
    3⤵
    PID:4020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
    3⤵
    PID:2424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
    3⤵
    PID:2736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
    3⤵
    PID:3740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netttcim.mof
    3⤵
    PID:768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
    3⤵
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
    3⤵
    PID:3248
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\newdev.mof
    3⤵
    PID:4640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlasvc.mof
    3⤵
    PID:1588
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlmcim.mof
    3⤵
    PID:2924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
    3⤵
    PID:3300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nlsvc.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\npivwmi.mof
    3⤵
    PID:2916
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\nshipsec.mof
    3⤵
    PID:4416
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ntevt.mof
    3⤵
    PID:3340
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ntfs.mof
    3⤵
    PID:4644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
    3⤵
    PID:224
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
    3⤵
    PID:392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
    3⤵
    PID:4512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
    3⤵
    PID:4756
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
    3⤵
    PID:2996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
    3⤵
    PID:1908
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
    3⤵
    PID:5052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
    3⤵
    PID:4440
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
    3⤵
    PID:2284
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PolicMan.mof
    3⤵
    PID:2900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polproc.mof
    3⤵
    PID:2548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polprocl.mof
    3⤵
    PID:212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polprou.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\polstore.mof
    3⤵
    PID:696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
    3⤵
    PID:2304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
    3⤵
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
    3⤵
    PID:4152
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
    3⤵
    PID:4020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
    3⤵
    PID:3304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
    3⤵
    PID:4352
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
    3⤵
    PID:4880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
    3⤵
    PID:4916
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
    3⤵
    PID:3244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
    3⤵
    PID:4616
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
    3⤵
    PID:984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
    3⤵
    PID:2956
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
    3⤵
    PID:4556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qmgr.mof
    3⤵
    PID:4652
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmi.mof
    3⤵
    PID:3224
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
    3⤵
    PID:4996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
    3⤵
    PID:1912
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
    3⤵
    PID:1496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
    3⤵
    PID:3500
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpendp.mof
    3⤵
    PID:5060
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpinit.mof
    3⤵
    PID:628
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rdpshell.mof
    3⤵
    PID:4464
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\refs.mof
    3⤵
    PID:4756
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\refsv1.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\regevent.mof
    3⤵
    PID:5036
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
    3⤵
    PID:1184
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rsop.mof
    3⤵
    PID:1484
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\rspndr.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\samsrv.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scersop.mof
    3⤵
    PID:212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\schannel.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SchedProv.mof
    3⤵
    PID:696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scm.mof
    3⤵
    PID:3620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\scrcons.mof
    3⤵
    PID:1256
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sdbus.mof
    3⤵
    PID:1812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\secrcw32.mof
    3⤵
    PID:1204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
    3⤵
    PID:180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ServiceModel.mof
    3⤵
    PID:1452
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\services.mof
    3⤵
    PID:4176
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\setupapi.mof
    3⤵
    PID:4496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
    3⤵
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
    3⤵
    PID:2200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\smtpcons.mof
    3⤵
    PID:1160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sppwmi.mof
    3⤵
    PID:2716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sr.mof
    3⤵
    PID:2276
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\sstpsvc.mof
    3⤵
    PID:1848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\storagewmi.mof
    3⤵
    PID:1428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
    3⤵
    - Drops file in System32 directory
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
    3⤵
    PID:5020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
    3⤵
    PID:392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\stortrace.mof
    3⤵
    PID:3088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\subscrpt.mof
    3⤵
    PID:2116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\system.mof
    3⤵
    PID:1172
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\tcpip.mof
    3⤵
    PID:2344
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\tsallow.mof
    3⤵
    PID:2332
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\tsmf.mof
    3⤵
    PID:4940
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\tspkg.mof
    3⤵
    PID:4980
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\umb.mof
    3⤵
    PID:4628
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\umbus.mof
    3⤵
    PID:212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\umpass.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
    3⤵
    PID:1808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
    3⤵
    PID:4220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
    3⤵
    PID:1444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
    3⤵
    PID:1408
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\vds.mof
    3⤵
    PID:508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
    3⤵
    - Drops file in System32 directory
    PID:1640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
    3⤵
    PID:4784
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\vss.mof
    3⤵
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WBEMCons.mof
    3⤵
    PID:4520
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wcncsvc.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
    3⤵
    PID:3300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
    3⤵
    PID:60
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
    3⤵
    PID:4416
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Wdf01000.mof
    3⤵
    PID:3272
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
    3⤵
    PID:3800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wdigest.mof
    3⤵
    PID:3240
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
    3⤵
    PID:1548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wfascim.mof
    3⤵
    PID:4464
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
    3⤵
    PID:4936
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WFP.MOF
    3⤵
    PID:1992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wfs.mof
    3⤵
    PID:1316
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\whqlprov.mof
    3⤵
    PID:1020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
    3⤵
    PID:1716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
    3⤵
    PID:2420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\win32_printer.mof
    3⤵
    PID:4040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
    3⤵
    PID:4360
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wininit.mof
    3⤵
    PID:2244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\winipsec.mof
    3⤵
    PID:1576
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\winlogon.mof
    3⤵
    PID:4304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Winsat.mof
    3⤵
    PID:3308
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
    3⤵
    PID:1840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wlan.mof
    3⤵
    PID:180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WLanHC.mof
    3⤵
    PID:4880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmi.mof
    3⤵
    PID:2384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipcima.mof
    3⤵
    PID:1404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipdfs.mof
    3⤵
    PID:3244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipdskq.mof
    3⤵
    PID:3192
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
    3⤵
    PID:4448
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
    3⤵
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipicmp.mof
    3⤵
    PID:4648
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipiprt.mof
    3⤵
    PID:4432
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipjobj.mof
    3⤵
    PID:3708
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmipsess.mof
    3⤵
    PID:1848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmitimep.mof
    3⤵
    PID:1428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
    3⤵
    PID:3800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmp.mof
    3⤵
    PID:4420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
    3⤵
    PID:2812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
    3⤵
    PID:1460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdcomp.mof
    3⤵
    PID:896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdfs.mof
    3⤵
    PID:3404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdmtp.mof
    3⤵
    PID:2344
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdshext.mof
    3⤵
    PID:1988
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
    3⤵
    PID:3768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpdsp.mof
    3⤵
    PID:4536
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wpd_ci.mof
    3⤵
    PID:2160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wscenter.mof
    3⤵
    PID:5040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WsmAgent.mof
    3⤵
    PID:3560
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
    3⤵
    PID:4200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WsmAuto.mof
    3⤵
    PID:2544
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_fs.mof
    3⤵
    - Drops file in System32 directory
    PID:4928
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
    3⤵
    PID:2540
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_health.mof
    3⤵
    PID:3108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
    3⤵
    PID:4624
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_sr.mof
    3⤵
    PID:1812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
    3⤵
    PID:3308
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WUDFx.mof
    3⤵
    PID:1204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
    3⤵
    PID:2156
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
    3⤵
    PID:1452
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
    3⤵
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\xwizards.mof
    3⤵
    PID:4916
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof
    3⤵
    PID:3216
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof
    3⤵
    PID:4640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof
    3⤵
    PID:984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof
    3⤵
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof
    3⤵
    PID:2444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof
    3⤵
    PID:2380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof
    3⤵
    PID:3796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
    3⤵
    PID:4416
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof
    3⤵
    PID:3940
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
    3⤵
    PID:2684
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
    3⤵
    PID:4368
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof
    3⤵
    PID:3140
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof
    3⤵
    PID:3396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
    3⤵
    PID:1460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
    3⤵
    PID:896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof
    3⤵
    PID:4820
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof
    3⤵
    PID:4508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof
    3⤵
    PID:3040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
    3⤵
    PID:2792
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof
    3⤵
    PID:4976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof
    3⤵
    PID:3972
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
    3⤵
    PID:2108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
    3⤵
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof
    3⤵
    PID:2132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof
    3⤵
    PID:3108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof
    3⤵
    PID:4924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof
    3⤵
    - Drops file in System32 directory
    PID:4304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
    3⤵
    PID:2432
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
    3⤵
    PID:1840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
    3⤵
    PID:3656
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
    3⤵
    PID:508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
    3⤵
    PID:2848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof
    3⤵
    PID:4036
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof
    3⤵
    PID:3248
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof
    3⤵
    PID:4496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof
    3⤵
    PID:1588
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof
    3⤵
    - Drops file in System32 directory
    PID:1972
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof
    3⤵
    PID:528
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
    3⤵
    PID:2388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof
    3⤵
    PID:4812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
    3⤵
    PID:3144
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof
    3⤵
    PID:1848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof
    3⤵
    PID:448
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof
    3⤵
    PID:1720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof
    3⤵
    PID:392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
    3⤵
    PID:1608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
    3⤵
    - Drops file in System32 directory
    PID:1384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
    3⤵
    PID:3396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
    3⤵
    PID:1992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
    3⤵
    PID:2344
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof
    3⤵
    PID:1020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
    3⤵
    PID:4452
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof
    3⤵
    PID:3312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof
    3⤵
    PID:2804
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
    3⤵
    PID:1328
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof
    3⤵
    PID:2836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof
    3⤵
    PID:4040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof
    3⤵
    PID:4552
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof
    3⤵
    PID:4088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof
    3⤵
    PID:1600
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof
    3⤵
    PID:3780
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof
    3⤵
    PID:1808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
    3⤵
    PID:4924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
    3⤵
    PID:4304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof
    3⤵
    PID:4380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
    3⤵
    PID:1256
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof
    3⤵
    PID:2260
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
    3⤵
    PID:388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof
    3⤵
    PID:2848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
    3⤵
    PID:4984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
    3⤵
    PID:3488
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof
    3⤵
    PID:4448
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof
    3⤵
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
    3⤵
    PID:2724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
    3⤵
    - Drops file in System32 directory
    PID:544
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
    3⤵
    PID:2644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
    3⤵
    PID:3672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof
    3⤵
    PID:2208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
    3⤵
    PID:1848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof
    3⤵
    - Drops file in System32 directory
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
    3⤵
    PID:3240
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof
    3⤵
    PID:1556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof
    3⤵
    PID:1980
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof
    3⤵
    - Drops file in System32 directory
    PID:4756
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof
    3⤵
    PID:4528
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
    3⤵
    - Drops file in System32 directory
    PID:3220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof
    3⤵
    PID:4348
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
    3⤵
    PID:2332
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof
    3⤵
    PID:4508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
    3⤵
    PID:1716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D17F2812D61D6A27510A5356CBCB2C6.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
    3⤵
    PID:5056
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D39564B78F00E3F6ED4B4A5662781B2.mof
    3⤵
    PID:3904
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D3D7B63AE783F3DBBD4FD9F43301BD1.mof
    3⤵
    PID:3560
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
    3⤵
    PID:752
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1D8E83D3077F05426D7F5E7C92A52BC2.mof
    3⤵
    PID:2244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
    3⤵
    PID:1976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
    3⤵
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
    3⤵
    PID:1576
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
    3⤵
    PID:1812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1F539B7D89D5675D5FBC71A5A1E7C62D.mof
    3⤵
    PID:5016
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1F5D7EA255DEC718E6C93AFC61039C12.mof
    3⤵
    PID:2736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
    3⤵
    PID:1820
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
    3⤵
    PID:1664
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
    3⤵
    PID:5004
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\210892B3C5033337B5C4FCD68AA35128.mof
    3⤵
    PID:4208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
    3⤵
    PID:4392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
    3⤵
    PID:4984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2215A345459824E0504DB85AEBB502CE.mof
    3⤵
    PID:4640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
    3⤵
    PID:1572
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
    3⤵
    PID:2104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\23FFA2BEE2CFCB552EEC22762785E6B4.mof
    3⤵
    PID:4648
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
    3⤵
    PID:740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
    3⤵
    PID:3796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
    3⤵
    PID:3268
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\28DFEEAE5E755E081510079AEA4BA2DB.mof
    3⤵
    PID:1848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
    3⤵
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2A2AB14E79261C4C2272F4B50901244C.mof
    3⤵
    PID:3240
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2A8F8C0C68BF867A9E2A7AB38260A4F9.mof
    3⤵
    PID:1556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
    3⤵
    PID:2232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
    3⤵
    PID:1780
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2C688638F731D0D535DBB9DA2F979753.mof
    3⤵
    PID:3808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
    3⤵
    PID:4440
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
    3⤵
    PID:4348
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2D1A849208186237BBED16B3B5D7238E.mof
    3⤵
    PID:2332
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2DB099F474FFAB578AD726E4F2905FED.mof
    3⤵
    PID:2820
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
    3⤵
    PID:4976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
    3⤵
    PID:4948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2E60A4684212330C61E1E8704A619754.mof
    3⤵
    PID:4552
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2EC8433E19B30A13955120CB32A18CFC.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2F0CC20947142CB05C49044919898802.mof
    3⤵
    PID:1592
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
    3⤵
    PID:2016
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\2FA567F6FE2F89694B594B3FAC75D6DF.mof
    3⤵
    PID:1812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
    3⤵
    PID:5016
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\30A5229E4F736548D2D9FA13F92C9A82.mof
    3⤵
    PID:1796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\30C22E5728F64CE0E1605A4A77934948.mof
    3⤵
    PID:2296
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
    3⤵
    PID:4256
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\30DFAF0BD5AD387D985719F41E186AD5.mof
    3⤵
    PID:4720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\31998CC82EC1ED985097054B275161ED.mof
    3⤵
    PID:2192
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\32057A09A1167F6F66F16DA67DF1C918.mof
    3⤵
    PID:3236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3209C3555EE020AE8FA1C869C6A591D9.mof
    3⤵
    PID:2200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\320EDC28FFEC3C708AB2DDE6C70FD624.mof
    3⤵
    - Drops file in System32 directory
    PID:1472
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3281CFB9A42D9486C40C0A4D010D65E6.mof
    3⤵
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\33295A3A1D28CAE3DFB6C5167CCAAE6F.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
    3⤵
    PID:3012
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
    3⤵
    PID:2952
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
    3⤵
    PID:3152
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
    3⤵
    PID:3328
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof
    3⤵
    - Drops file in System32 directory
    PID:4756
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
    3⤵
    PID:1172
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
    3⤵
    PID:1992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\36AC724DE559C5D39EB46462A440D4E5.mof
    3⤵
    PID:4388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
    3⤵
    PID:4760
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\379E5EC415D0E0A49EFDD4B3564BE048.mof
    3⤵
    PID:2284
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
    3⤵
    PID:2304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
    3⤵
    PID:4948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
    3⤵
    PID:4552
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
    3⤵
    PID:2708
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
    3⤵
    - Drops file in System32 directory
    PID:4624
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
    3⤵
    PID:3304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
    3⤵
    PID:4352
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
    3⤵
    PID:2424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3A75BC18F00746E3EB756A5A8AB71D56.mof
    3⤵
    PID:4236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
    3⤵
    PID:2680
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3B60B0417CAF81D69389063C334577F1.mof
    3⤵
    PID:4424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
    3⤵
    PID:4256
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3BBB431B659936EB58D4574BC05768CD.mof
    3⤵
    PID:4720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3C03DD39D967893238742C503189BA92.mof
    3⤵
    PID:3296
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3C11F3A2BFB9588C467B72E02345362F.mof
    3⤵
    PID:984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3C90AAC6E581F57E99B164C33906BD30.mof
    3⤵
    PID:4300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3CA3E3E8C27409E2288B236F5F414F56.mof
    3⤵
    PID:1472
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof
    3⤵
    PID:228
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
    3⤵
    PID:1632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3DA405CE6ACE7B7A8320D68D317B9729.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3EB36FAFDAE870DF05542C0B4AAAD7EF.mof
    3⤵
    PID:3548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3EE2F37B4639F4307BAF0C707B092F7C.mof
    3⤵
    PID:628
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
    3⤵
    PID:4668
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\3FFDD473F026FB198DA9FA65EE71383C.mof
    3⤵
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4001CC0C4B56CFDE0493013FC1D9DD0F.mof
    3⤵
    PID:2164
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\407E61D88570FDFD5EC8891DBF9A3EBC.mof
    3⤵
    PID:3584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
    3⤵
    PID:4584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4136DDD03841D93F3D820441F60BE055.mof
    3⤵
    PID:2012
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\413CED83449192A10E66EAD24743140E.mof
    3⤵
    PID:3808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\42CB2CBBDCBB0DB751E51FF6B279C524.mof
    3⤵
    PID:1020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\430091E25BA6C7FE2FE5DC31776BEACC.mof
    3⤵
    PID:4476
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
    3⤵
    PID:2076
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
    3⤵
    PID:2800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
    3⤵
    PID:4200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\435FA4D2CAB38A1853F91A3BE8F89D4E.mof
    3⤵
    PID:2160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4371EC94BF996AF79B062599D10C927E.mof
    3⤵
    PID:4028
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
    3⤵
    PID:1212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\43EDE2715871F08D0BEFB4C9DE69E247.mof
    3⤵
    - Drops file in System32 directory
    PID:2540
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\441A12A68AB1A20902A131356BA4CF30.mof
    3⤵
    PID:1976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\44B487D5879BCD6C593C9066936D12AD.mof
    3⤵
    - Drops file in System32 directory
    PID:1052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\44C46B87678291B7CFBF7D8A6452D98D.mof
    3⤵
    PID:3060
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\45277ADB2DA919AFFF18833506353174.mof
    3⤵
    PID:3184
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4552656C2901FB1533D6679D49B69929.mof
    3⤵
    - Drops file in System32 directory
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4561B54041D5F414CB02373F78461708.mof
    3⤵
    PID:1204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
    3⤵
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4795058F848A6BA6FE24E0530CE2E2DF.mof
    3⤵
    PID:2672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
    3⤵
    PID:1584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
    3⤵
    PID:4312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\48959878DDCA03B0FA77D806C7C5D743.mof
    3⤵
    PID:3476
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\49C04C47AB946E0864486F81F6E251BC.mof
    3⤵
    PID:4784
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4B69CC652B5189D5B2136DFDC5369593.mof
    3⤵
    PID:4520
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4B95063FF713676A54E7221DF8245C78.mof
    3⤵
    PID:1572
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
    3⤵
    PID:2840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4BE30AA8CC2C4C06B41336B9B3878B1E.mof
    3⤵
    PID:3568
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
    3⤵
    PID:2644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4C3FFB127B4E9B67BFACD89178DE3DA3.mof
    3⤵
    PID:3144
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4CCFEF2D31696D11C8735BD7C8BE14B9.mof
    3⤵
    PID:3272
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
    3⤵
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
    3⤵
    PID:3716
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
    3⤵
    PID:3700
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
    3⤵
    PID:1232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4E8CF66DA5DBCEE8F47DFDDF0B14DEC0.mof
    3⤵
    PID:2516
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4E941341E008BE47EC9639A14271EBF0.mof
    3⤵
    PID:2164
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4EA32ABEBFE9B0697C450693940F1673.mof
    3⤵
    PID:3584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4EB0E9424AFEF8E5D68D78C36620E253.mof
    3⤵
    PID:4244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
    3⤵
    PID:1380
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4F4AD4093274B7A7FF28CDBD5AB3032C.mof
    3⤵
    PID:1988
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\4F7C501B863AFCFCE3AE018AC07191F9.mof
    3⤵
    PID:3312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\50B277BD2B3C116DBC38CC2D1EB7D427.mof
    3⤵
    PID:1580
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
    3⤵
    PID:4976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\50E7AE0A90085737B8F04CDF9460DBEA.mof
    3⤵
    PID:2544
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\50FC9EDA1918FBC981D89D0390125308.mof
    3⤵
    PID:1236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
    3⤵
    PID:2244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
    3⤵
    PID:4824
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
    3⤵
    PID:4040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
    3⤵
    PID:2708
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5241D310A7F9B793E5E9EC39E65B7B44.mof
    3⤵
    PID:4516
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\52DF56A47A08AD380228C64827D24548.mof
    3⤵
    - Drops file in System32 directory
    PID:3620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\531218B396F02B35771F8AD1965A574A.mof
    3⤵
    PID:180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
    3⤵
    PID:2424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\536E5C7121076D413E48A32D54E26EA3.mof
    3⤵
    PID:1796
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\53C2FC20B111DA763C20CFDAF7624A26.mof
    3⤵
    PID:2296
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
    3⤵
    PID:2712
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
    3⤵
    PID:3216
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
    3⤵
    PID:3468
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
    3⤵
    PID:4640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\55B1D144C8C3666C687E454A80906ECE.mof
    3⤵
    PID:4496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\563EAFFF3BF92CE3F60EAEE4EB18BBB3.mof
    3⤵
    PID:2412
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
    3⤵
    PID:2104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
    3⤵
    PID:1920
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\57985F4723464E47CF133A601D28906D.mof
    3⤵
    PID:2388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\58766C70A633CC3A5AC9393E175CA63A.mof
    3⤵
    PID:632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\59481CB78111FB31D37EDAC9647FAFD8.mof
    3⤵
    PID:2032
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5960F40D2AAABA9E743AFA7294468C25.mof
    3⤵
    PID:5116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\59A5343CF85A83AE1E7B5EAFC71ABD66.mof
    3⤵
    PID:5060
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof
    3⤵
    PID:3396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5A7BC66EEC954487F6D9911DEAF052BE.mof
    3⤵
    PID:2684
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5B18367075FE563AF4A12EA837278D84.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof
    3⤵
    PID:5036
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5BE557A291C3EEB7FE628D8099DD0CD3.mof
    3⤵
    PID:1456
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof
    3⤵
    PID:4932
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5C81F6E368BC71D1D45E2D9206EA3FD0.mof
    3⤵
    PID:4388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5C8CE9E608C8192171A5B93767FCC960.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5CFEE986112963509926EC8912E14D25.mof
    3⤵
    PID:3180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5D75A4D5A6D14E6061698FB7BED0446A.mof
    3⤵
    PID:4928
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof
    3⤵
    PID:3732
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5E69759D567F673B36A59095A347BF07.mof
    3⤵
    PID:4908
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof
    3⤵
    PID:2108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof
    3⤵
    PID:3608
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof
    3⤵
    PID:2492
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\601C41633EC4EEE1FFE41D65491BABD5.mof
    3⤵
    PID:2328
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\60B3B69ABC4366405469AA15F5B33006.mof
    3⤵
    PID:3656
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\60C90B334F5FD0AD576CC5FFCECDFA9C.mof
    3⤵
    PID:2556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\617D2BAEB248E81618E2D9342B7323AD.mof
    3⤵
    PID:4816
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6199F396C445A25AF1DE1CEFFF072560.mof
    3⤵
    PID:404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\61D0174ACBF8E43615E6DF8019C0583E.mof
    3⤵
    PID:2120
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof
    3⤵
    PID:3984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof
    3⤵
    PID:4392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6340973172727B5EBAF0A64E92C26B73.mof
    3⤵
    PID:1640
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof
    3⤵
    - Drops file in System32 directory
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\63B2501D71A2DE162EA12C3CACF8C488.mof
    3⤵
    PID:1472
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof
    3⤵
    PID:2336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\64B4796A957F50D8E37415358DC4011F.mof
    3⤵
    PID:740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof
    3⤵
    PID:1836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof
    3⤵
    PID:3144
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof
    3⤵
    PID:4612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof
    3⤵
    PID:1720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof
    3⤵
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\662DD1E431BC9D4EB784D7D662BF5114.mof
    3⤵
    PID:4512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\66501D267ABECB2CF3315642D1881501.mof
    3⤵
    PID:4368
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof
    3⤵
    PID:2996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6717E3CAA50A3943B61329778C1DD781.mof
    3⤵
    PID:880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\671DBBDEA9073F2E4CCCFFF6957044E0.mof
    3⤵
    PID:3808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof
    3⤵
    PID:4936
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6780F8CDE9A603E0A830C9603F2F4D0B.mof
    3⤵
    PID:112
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof
    3⤵
    PID:2220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof
    3⤵
    PID:3936
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof
    3⤵
    PID:2548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\687CF9D31E514545A07747EE9CC567AB.mof
    3⤵
    PID:1884
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\68882E3FA69BD52620343D172BE84815.mof
    3⤵
    PID:2196
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof
    3⤵
    PID:3000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof
    3⤵
    PID:4224
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6BCCCB82E5792A665667D7E41CC45168.mof
    3⤵
    PID:1672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof
    3⤵
    PID:2108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof
    3⤵
    PID:4636
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CC07C0289722A5549B9C30F76C249FF.mof
    3⤵
    PID:4624
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CC685AEFC129C8DD86F9036F17E943C.mof
    3⤵
    PID:3304
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CD4AC2A2B648ABFE8F2F90A5D07829F.mof
    3⤵
    PID:2328
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CDB91CE30082B98FE1BEE23E422804C.mof
    3⤵
    PID:3656
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof
    3⤵
    PID:2556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof
    3⤵
    PID:4816
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof
    3⤵
    PID:2384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6E5FACACD2BA0A27C7AE761291F7BED1.mof
    3⤵
    PID:2260
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof
    3⤵
    PID:2956
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\6F606DA76B5A34FEC3A95B874DC14C2F.mof
    3⤵
    - Drops file in System32 directory
    PID:2924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof
    3⤵
    PID:1588
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\70138AC07076B005E1CFA39BC5BD9175.mof
    3⤵
    PID:3416
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\71E680EC580A0039A775A378ECD836FF.mof
    3⤵
    PID:1844
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7282BB1A61AFF7E0656732EE80CEB6FD.mof
    3⤵
    PID:2916
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\732BD24D0DF3B5E7191B301E55CDD6D6.mof
    3⤵
    PID:3672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof
    3⤵
    PID:460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\739CB6904442C4B4092104AACB73DBB0.mof
    3⤵
    - Drops file in System32 directory
    PID:4576
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\73C8F1FE9282D72F1684DA13FF1346AA.mof
    3⤵
    PID:3272
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof
    3⤵
    PID:2208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof
    3⤵
    PID:2116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof
    3⤵
    PID:1112
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7450D0DEE62770FF1E5C905B1BAFD42E.mof
    3⤵
    PID:3152
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\74AF2F8E62D0745F958B573494C439C8.mof
    3⤵
    - Drops file in System32 directory
    PID:2996
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof
    3⤵
    PID:1384
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof
    3⤵
    PID:4064
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof
    3⤵
    PID:1412
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof
    3⤵
    - Drops file in System32 directory
    PID:4820
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\76118EA7CDB4BF4005AD84DDF6CE2E66.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\76367CD152E34AC3DD8007741C968AF4.mof
    3⤵
    PID:1484
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof
    3⤵
    PID:5092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7716BDB243C38A4A24E728B3817AE0F1.mof
    3⤵
    PID:5040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\77E1FE7C589B0FE237874F7EE517A0C1.mof
    3⤵
    PID:4200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\785C9F9CED5D122AD92D6BC91312F7FC.mof
    3⤵
    PID:5068
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7891546B010C902B9C8DE33F55F71498.mof
    3⤵
    PID:4128
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\78C249F8A099AEA6A25F33F09F50FB47.mof
    3⤵
    PID:4948
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof
    3⤵
    PID:2836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\79EF8F616077A833BE2747809180BFA5.mof
    3⤵
    PID:3748
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\79FE6B25E5B132F33880B7F44A66B758.mof
    3⤵
    PID:4220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof
    3⤵
    PID:4516
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof
    3⤵
    PID:4352
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof
    3⤵
    PID:1840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof
    3⤵
    PID:3856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7D8C933AA5FE34FA3316DA4B6E09E654.mof
    3⤵
    PID:4236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof
    3⤵
    PID:3736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof
    3⤵
    PID:3280
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7E19C857E35FA8D70E57B0F1CB21E5C7.mof
    3⤵
    PID:3244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7E856BB33FFDA1141B90AC29735FB9FA.mof
    3⤵
    PID:2120
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7EAB83B6B5BC37690D2D1B3E22DF7D9E.mof
    3⤵
    PID:4888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof
    3⤵
    PID:4392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7FAB1F3A2B36D6EA27A3DB4EC39C7BD0.mof
    3⤵
    PID:4984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof
    3⤵
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof
    3⤵
    PID:528
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\80571CB6E9439E1C98BA9AC3FA28D3A9.mof
    3⤵
    PID:1496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8096010E847A7DE3A3F69A61002DD563.mof
    3⤵
    PID:2532
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8151A5CF9B90099D16EDB3EADE4C8CD3.mof
    3⤵
    PID:4868
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\81FCAC08918AF581FDCB45931E356981.mof
    3⤵
    PID:4568
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8243D67DDA3785DAD59ACF70CFC203DE.mof
    3⤵
    PID:620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8266DC592F01723A90239C659F1FA6C7.mof
    3⤵
    PID:4508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\82DA351296066664DEB012FCCF6D07AA.mof
    3⤵
    PID:3396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\82DA415A8C75204A2D758E6DAD53BC36.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof
    3⤵
    PID:116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof
    3⤵
    PID:880
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8349431AF468BA55DBFB84FC50CC17C5.mof
    3⤵
    PID:5052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof
    3⤵
    PID:3768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof
    3⤵
    PID:1412
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof
    3⤵
    PID:4820
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\84EBC179129822B0E00C47B7528F1FDC.mof
    3⤵
    PID:2332
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\84FD82C473BCBDEA6CFCD53DF80D6022.mof
    3⤵
    PID:5092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof
    3⤵
    PID:5040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\85917F125E29280A85EDFCDC3B0C8170.mof
    3⤵
    PID:4200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof
    3⤵
    PID:4776
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof
    3⤵
    PID:1860
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof
    3⤵
    PID:752
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\86F4330E57637679ACB9F17E5F9481D1.mof
    3⤵
    PID:3848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\86F83A7235F3DC2A6FCDEC052E1E1C74.mof
    3⤵
    PID:1052
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\87218B3AEA759A53DCCA78D6B9BBC66F.mof
    3⤵
    PID:3704
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\875B0EAE58DBE30E13A8DB610457D0AD.mof
    3⤵
    PID:5016
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof
    3⤵
    - Drops file in System32 directory
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\886EC825992F9DCB7AF34306DA80E12D.mof
    3⤵
    PID:4872
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\88C20208CDD4638C0381F2B7EC657564.mof
    3⤵
    PID:2680
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof
    3⤵
    PID:1664
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8999FA8F96032A452671DE654F9BAD9C.mof
    3⤵
    PID:3216
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof
    3⤵
    PID:4596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof
    3⤵
    PID:3236
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof
    3⤵
    PID:4720
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof
    3⤵
    PID:2200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8BF0E140F8F40D230143B569A1BAE507.mof
    3⤵
    PID:2412
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8C11323D7C773C8A79C1C61EB62FE331.mof
    3⤵
    PID:2444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8CB4C42331F0F4BBCC8E1580131EDCE2.mof
    3⤵
    PID:1844
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8CBA2BE847D0B28A440C5F24567B0891.mof
    3⤵
    - Drops file in System32 directory
    PID:3940
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8DB46DD597956632ECDB18D7B2BDF70E.mof
    3⤵
    PID:3392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8DB9DE86229327C5777721E4A01FB6B4.mof
    3⤵
    PID:1468
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof
    3⤵
    PID:1724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof
    3⤵
    PID:4612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8ECBCCCC7B4A9C11EC33A03B6E25EA5B.mof
    3⤵
    PID:2208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof
    3⤵
    PID:2176
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof
    3⤵
    PID:1112
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8F1ECB08E7908F5D543B0D9386C0EE1B.mof
    3⤵
    PID:3396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\8FCABF54BDCC2D55C8203E3B81BAC5FF.mof
    3⤵
    PID:5088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\901B1F181D1D82C168094975DEFB52F3.mof
    3⤵
    - Drops file in System32 directory
    PID:2164
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\902F9B116F0B37B699E9A1D4BB1E2784.mof
    3⤵
    PID:4244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\90B516E096C71C814FF03EE3F4B20042.mof
    3⤵
    PID:1780
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof
    3⤵
    PID:4936
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof
    3⤵
    PID:4308
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9476FC534A628F39C9E25CA2F2B7B45E.mof
    3⤵
    PID:2332
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof
    3⤵
    PID:5092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\953349B5ECB359DD058D07088EA31408.mof
    3⤵
    PID:5040
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\95C6129A16411671ED974764CC24C800.mof
    3⤵
    PID:2420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof
    3⤵
    PID:4604
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\960C76B3B2B322906970277571EF6F3C.mof
    3⤵
    PID:4396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\966B95F249EDF54D9BE98C23AD9B758A.mof
    3⤵
    - Drops file in System32 directory
    PID:3904
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9694C920807304FD0F9730304298FBFC.mof
    3⤵
    PID:4824
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof
    3⤵
    PID:2132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\97479A7EBC4B4FA9A0F0C7EF9A25471D.mof
    3⤵
    PID:2448
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof
    3⤵
    PID:1128
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9787DADF23D03D83A63DC8237E63E3EB.mof
    3⤵
    PID:180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof
    3⤵
    PID:1204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\97C10655E91CC076C4E294C0127D974B.mof
    3⤵
    PID:1584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof
    3⤵
    PID:2672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9823053171CF53F4038B0801004F87BC.mof
    3⤵
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\98A650FE1443CF2F953B6628EE432373.mof
    3⤵
    PID:3192
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\99BB0F4219E2381969DCE76BF639AC68.mof
    3⤵
    PID:404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\99BFB05D8CE546325B5205C32233A3BD.mof
    3⤵
    PID:3296
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9A977B776702BB9FBB29D1FCCF5F778B.mof
    3⤵
    PID:2956
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof
    3⤵
    PID:3504
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9B1ABD0CEAE78416529CB8D77CEE7B3A.mof
    3⤵
    PID:2276
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof
    3⤵
    PID:336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof
    3⤵
    PID:1496
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof
    3⤵
    PID:1852
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof
    3⤵
    PID:2644
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9C44AA8B16C47059241530441BCD6DD9.mof
    3⤵
    PID:1724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9C531048714B59E157A371D1186F796E.mof
    3⤵
    PID:4612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof
    3⤵
    PID:4748
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9D40E5B032950BC9770539F90AD86275.mof
    3⤵
    PID:2232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9DB628ECA9373F2BA3BCBB592AF60665.mof
    3⤵
    PID:4368
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9DEA7F87EAEC9FF8770E55D5A6D8CC91.mof
    3⤵
    PID:8
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof
    3⤵
    PID:3404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9ED719089FF4652F4929D88C64B6A1AD.mof
    3⤵
    PID:4756
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9EF608904C4706610FDA20D08530978E.mof
    3⤵
    PID:1460
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9F39E54D6756FE5D64BB6FED194D0894.mof
    3⤵
    - Drops file in System32 directory
    PID:3572
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9FC7214EDE76F8AE24F96A8195852557.mof
    3⤵
    PID:4760
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof
    3⤵
    PID:244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A03E3718C1B8425EB481A1EC4850275F.mof
    3⤵
    PID:4180
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A067787F4F1B728DE125898181C42609.mof
    3⤵
    PID:3436
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A0A63361726BDAE3BC29B11F7526AFE6.mof
    3⤵
    PID:4028
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof
    3⤵
    PID:2356
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof
    3⤵
    PID:2560
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof
    3⤵
    PID:2372
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A269D70CB8C799952AAD6684D1506485.mof
    3⤵
    PID:2540
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof
    3⤵
    PID:1976
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof
    3⤵
    PID:4908
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof
    3⤵
    - Drops file in System32 directory
    PID:696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A39A3B3270FEF11AE8ACF901E67BE359.mof
    3⤵
    PID:3512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof
    3⤵
    PID:2492
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof
    3⤵
    PID:3428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A5B62AD916B641B7A8365E1C7C9C7544.mof
    3⤵
    PID:3856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A5E0C63B1E67223D493A65CA08D7339B.mof
    3⤵
    PID:4036
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A71089353F923E1FA26964C3E8153739.mof
    3⤵
    PID:1404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof
    3⤵
    PID:2848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A7D7570238274B86C73F2E9009BDF74F.mof
    3⤵
    PID:3468
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A808A31E629557CF0D5F92D5D87BD706.mof
    3⤵
    PID:2280
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A837677C21EC0ECFEB9B10CCD2FEB0E5.mof
    3⤵
    PID:4888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof
    3⤵
    PID:4392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof
    3⤵
    PID:4984
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof
    3⤵
    PID:4556
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A97B345CDEAABDA620BFB72AD2A07100.mof
    3⤵
    PID:528
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\A9FBCB4593D76446A380C3F3421BC2A7.mof
    3⤵
    PID:2784
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AA10CCACD6B301F2187572F1FD684AC5.mof
    3⤵
    PID:1632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AA510EA6AD14A8BE52A7D659281F9BF3.mof
    3⤵
    PID:3548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof
    3⤵
    PID:1428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof
    3⤵
    PID:3700
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AB2AD61FC9800DD5C7751E4270E02730.mof
    3⤵
    PID:5000
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof
    3⤵
    PID:4420
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AB545518DC0F250493CCF5B36A459568.mof
    3⤵
    PID:3220
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AB947196AECC60D0365253863489134A.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof
    3⤵
    PID:5048
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof
    3⤵
    PID:3808
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AD4ADD965106D211E524A76F9B368A14.mof
    3⤵
    PID:1184
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof
    3⤵
    PID:4452
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\ADEE1E4F403A605328D0002B7C6CA9C7.mof
    3⤵
    PID:2652
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof
    3⤵
    PID:2352
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AE796E3468AD0D0C250FAA45259E22DB.mof
    3⤵
    PID:4476
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AE8C8067E61E868B002C481CE87EBE05.mof
    3⤵
    PID:4232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AF451AB4377D22C64822DE9E01B1F4E8.mof
    3⤵
    PID:2548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AF45D4D704EA10EA55742D1B3C8C6CE2.mof
    3⤵
    PID:5068
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AF8191ADF52F4156FF8D54FB39842A54.mof
    3⤵
    PID:2244
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AF83007CC746311C7050A636C44C02DA.mof
    3⤵
    - Drops file in System32 directory
    PID:4088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof
    3⤵
    PID:1212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AFD8B7D322EE2A1CB2BAF41EC0ADF626.mof
    3⤵
    PID:4988
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof
    3⤵
    PID:2088
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\AFF15E95C194C0034BFE43E5853DEE63.mof
    3⤵
    PID:4516
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B0ABD547895829AB29B56F0812CBB823.mof
    3⤵
    PID:428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B0C53BEE6C437337AB024CECEE878418.mof
    3⤵
    PID:3108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B10EF7584FC5D16C42403B0CA5BD4DFF.mof
    3⤵
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof
    3⤵
    PID:2256
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof
    3⤵
    PID:2192
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B25479026E9AAB36CBEBFF51AA0E32B5.mof
    3⤵
    - Drops file in System32 directory
    PID:4900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B308B28244CE4219C4C6B3315FA83200.mof
    3⤵
    PID:4312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof
    3⤵
    PID:2260
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B48FFF8D8BB2AE842F6650E8DE95B954.mof
    3⤵
    PID:4448
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B54261EAEEB4A0D8DB966E20CBEF7E52.mof
    3⤵
    PID:396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B551DA824528E06A014274837CB2A9CB.mof
    3⤵
    PID:3300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B5DC6196F95A004EDD1453C12599676B.mof
    3⤵
    PID:2336
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B6752671A157884075FCC12BEDFB4D69.mof
    3⤵
    PID:2736
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B67D454E426E9AEB60ED08DCC946B44B.mof
    3⤵
    PID:632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B6AF1E27DD1C8095A2887A3BECBB76EF.mof
    3⤵
    PID:3568
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof
    3⤵
    PID:4868
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B7840CBF63A47839AD6AD9F714E4D9BB.mof
    3⤵
    PID:1468
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B789D76E1E0DE4569B56F6FE22E05621.mof
    3⤵
    PID:4568
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B7DD4F9016C2EF03ADB325C37FC76454.mof
    3⤵
    PID:2208
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B845DD492B0CE12D87559CED569DE6B1.mof
    3⤵
    PID:3104
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B8870014FB74FB540F3C31EA907A2AE7.mof
    3⤵
    PID:2232
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\B9B14FBAD84A7125C53EEE7706842C5B.mof
    3⤵
    PID:3540
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BA42233C2B9592211C49858860047F3F.mof
    3⤵
    PID:2344
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BA4AF8E4FEBF32A044146607E11B336E.mof
    3⤵
    PID:2864
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BAE93F9B141EC7983B2E3379E3E9119E.mof
    3⤵
    PID:5112
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BAE9A5FB11B68C3A726881B291D669F6.mof
    3⤵
    PID:2092
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BB9039F6B76054E97E7EFE906C52DE12.mof
    3⤵
    PID:1988
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BCB9C29787770EE14EFCAC19CF508F66.mof
    3⤵
    PID:3320
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof
    3⤵
    PID:4132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BD5A24FC505850E33FAACDC4DBFAD85D.mof
    3⤵
    PID:2900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BD818313E410FD46A9F63786A32AEE23.mof
    3⤵
    PID:1360
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof
    3⤵
    PID:2284
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BE8B60428F91B5F96E778F2B2C2832A5.mof
    3⤵
    PID:4200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BE8E9D8246C687F5C062F5D47DA1199A.mof
    3⤵
    - Drops file in System32 directory
    PID:4604
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BEB55E5308BFA4DC17987F4D0DF04295.mof
    3⤵
    PID:2396
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BEE3F1CC0769E4FD5954E4E649614722.mof
    3⤵
    PID:4636
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BF15B53EBA3B9699B34F0453D41230A0.mof
    3⤵
    PID:212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BF7B61BA8D8284B7D0DA637AB41F6C96.mof
    3⤵
    PID:4824
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\BF7BF74A57B2030A3BB9979E14C311F1.mof
    3⤵
    PID:4924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C03089ABF5861ADFD1F7C923D2F9A153.mof
    3⤵
    PID:2108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C08E9222775EF82A98E5CDD931ACC633.mof
    3⤵
    PID:1840
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C09DD3CA03ADBEEE3ABD0ADF668D9848.mof
    3⤵
    PID:3444
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C0E71AD79C7DB91864FCD17ECFDE1E10.mof
    3⤵
    PID:5004
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C1A0E85153900845F7BA78472B952007.mof
    3⤵
    PID:4616
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C1A41FBCA25E3E6CC4CD22064882728F.mof
    3⤵
    PID:4784
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C1D36889746E38D1BC7C314F51AC80E6.mof
    3⤵
    PID:2280
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C1FA58EA827D44CFBEE4F63536677F65.mof
    3⤵
    PID:4888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C23F41A19D7EC249FDA170C05916CB8F.mof
    3⤵
    PID:3300
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C25A6E589BBE06A55DB5B350B80152B1.mof
    3⤵
    PID:4620
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C274B92CA0AA0BC1531712AF28602FDD.mof
    3⤵
    PID:1836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C291730B7DFE0290D98702FB8F8B0F1E.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C2CD968A064AA98DCC1CC37592A142C7.mof
    3⤵
    PID:4524
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C304206E30795E3A6539B5DF349C4270.mof
    3⤵
    PID:3548
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C39C0F5D0934BAE90B29A93BEADC257F.mof
    3⤵
    PID:4668
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C3C4860D945FD1716E55A2D7AFA8C55D.mof
    3⤵
    PID:3924
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C3F80855FDF5A3E423EBABF12EB64064.mof
    3⤵
    PID:628
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C40B30214E633F7974F2729FAE1BC67D.mof
    3⤵
    PID:4584
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C54E46EF4D4F454E2C3ACD269B67494E.mof
    3⤵
    PID:1712
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C55F973EDD4E17F6A7CA6F8DC77AC2E8.mof
    3⤵
    PID:3080
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
    3⤵
    PID:3612
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C5A7A3340CB4BCC7A5C994052DAB1A78.mof
    3⤵
    PID:5048
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof
    3⤵
    PID:1512
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C67614C3E48ABD4BC9E709E2CEB2CE53.mof
    3⤵
    - Drops file in System32 directory
    PID:1992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C685465F4F6FC210421DA7E9DD550821.mof
    3⤵
    PID:3768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C687C1EAD6B670CCBAA60909B89F62CB.mof
    3⤵
    PID:5096
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C70550846DA118E1E660A10136A7ECA7.mof
    3⤵
    PID:3132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C77491DD5CBE96FF7C3528A0FD4A1410.mof
    3⤵
    PID:4848
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C7999B0462D8EAC32E2ED3A9D0017C97.mof
    3⤵
    PID:2428
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C7AD207ED7993A4809373AC7E5784F42.mof
    3⤵
    PID:3972
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C8306578B5F0D111675384D271B4DAE3.mof
    3⤵
    PID:1672
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C87E3190BEFC663A6A04D6D857ABE30E.mof
    3⤵
    PID:4276
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof
    3⤵
    PID:4076
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\C98344F72C7B0FA5F30F1BF6877B4E25.mof
    3⤵
    PID:3704
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CA1BF3536958E01F710E5995DE6EBE31.mof
    3⤵
    PID:768
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CA519EE48C39BDA3C1538E5565C377FA.mof
    3⤵
    PID:2492
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CAC0434A24FA3D5F69B4858EAA050C64.mof
    3⤵
    PID:1204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CCFBB6F691A0FA96C5B605CD9D80173B.mof
    3⤵
    PID:4116
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CD3047E52420EB014D24A73F8DD48F55.mof
    3⤵
    PID:4424
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CD658FA16F96D4466BFE68FCE874D955.mof
    3⤵
    PID:4916
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CDB59C31DC153347DDACAC08113F8015.mof
    3⤵
    PID:4652
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CDC6E4754252FF7D0E8F3C134D265A60.mof
    3⤵
    PID:2724
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CDDB319981A500F42CBEC98CD2362007.mof
    3⤵
    PID:1912
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CDEEE4A36DD31A28218DBF5A1A529CFD.mof
    3⤵
    PID:1276
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CE096445AF8F836B82205BD4E80E5A94.mof
    3⤵
    PID:4812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CE7FA5E0DC28E4C7BB0A2AA22DE05392.mof
    3⤵
    PID:3940
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CF3C74ACDD4465D23E06A73A9D97DFFD.mof
    3⤵
    PID:1200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\CF4667947FCFC2F62078D3B85CE7EF10.mof
    3⤵
    PID:1836
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D003EAB9BB96C7DF227404C6B2582455.mof
    3⤵
    PID:2896
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D02971809B01C7E099D44E7A1436F997.mof
    3⤵
    PID:3800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof
    3⤵
    PID:392
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D05C15A4875D58D36F57187E7FE4496A.mof
    3⤵
    - Drops file in System32 directory
    PID:4992
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D05E5243F9713AD9C0F710C5DE549BE2.mof
    3⤵
    PID:2020
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D06E9123D0C50409B7B9F35A8222CADA.mof
    3⤵
    PID:1112
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D0E5935486BD6AD49D80F66B81B985DE.mof
    3⤵
    PID:4280
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D17469C68898749E23D53128870A755C.mof
    3⤵
    - Drops file in System32 directory
    PID:3404
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D1C240EDA191362672EF6FCCB9725F85.mof
    3⤵
    PID:4664
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D2412702F385FCB9E6709FB33EB27BDF.mof
    3⤵
    PID:3240
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof
    3⤵
    PID:1636
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D2EF06310A52FBA8DF0B6BDFC0D3C664.mof
    3⤵
    PID:3632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D2FA07FC4043B26B5CB97692C2AAFF12.mof
    3⤵
    PID:3312
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D3B2EC2F727A45FED5DC9D6BD0BC833D.mof
    3⤵
    - Drops file in System32 directory
    PID:2800
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D48232953788C625160D278B29B5D73D.mof
    3⤵
    PID:3596
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D4D422DBE282F1B12C3A82517EB0D59D.mof
    3⤵
    PID:2900
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D4F56CCD124A6B24576AF721B0282383.mof
    3⤵
    PID:1360
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D566F9B651B60AE7D0B5DEBF57A90E35.mof
    3⤵
    PID:2204
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D64EE91A31A31FCBEAA727029795B289.mof
    3⤵
    PID:752
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D69C7ED8E3B896ACD98229CB4DC363B6.mof
    3⤵
    PID:4776
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof
    3⤵
    PID:1600
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D6F45CA88F2F5527EC301A7FA3FF5B8C.mof
    3⤵
    PID:3748
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D75AD6809E604BB6F018E54A8482C928.mof
    3⤵
    PID:1212
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D7B94FF620323D536A3B99CCAA6B78DA.mof
    3⤵
    PID:696
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D7E06DA4457A14F49A9A996F22881130.mof
    3⤵
    PID:2132
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D8401E2EC2C3AFBC1A21717167BA8734.mof
    3⤵
    PID:2108
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof
    3⤵
    PID:508
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D8D1C602836BEF743D38740FCA8D4B8B.mof
    3⤵
    PID:3856
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D92BDDCE5396A2FDB5F2208AE47E7CE1.mof
    3⤵
    PID:1812
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D9D86DD1D8501C39B4325827BB6F2270.mof
    3⤵
    PID:1160
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D9DD8F6664E786227542BCC5FCF66D2D.mof
    3⤵
    PID:1588
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D9E59C2E17E0CE2AC75DA8E34E9214D0.mof
    3⤵
    PID:2200
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\D9EB7BAFBC23534E43B93A69CFD89687.mof
    3⤵
    PID:3224
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DA27AF57C09E80A784709AD6239EA23B.mof
    3⤵
    PID:2748
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DA54B44152345FC1E1817702B2A34D5D.mof
    3⤵
    PID:4888
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DA5B702F94B3636728C005C0E5C0A6BE.mof
    3⤵
    PID:3500
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DA736886F13A0E2EE2265319FB376753.mof
    3⤵
    PID:740
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DAC96F2A49E2484740F118A3CDF28EA3.mof
    3⤵
    PID:2388
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DAEC8125C10A9D1FB182920A9FDE141A.mof
    3⤵
    PID:1632
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DB347A2F84FBE8E0965F9BCF8D6FD7E2.mof
    3⤵
    PID:5008
- - C:\Windows\System32\wbem\mofcomp.exe
    mofcomp C:\Windows\System32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof
    3⤵
    PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cleaners\Spoofer.exe

Filesize
24KB

MD5
7a4a3fea89bfe8810ef9835273d6fc84

SHA1
cd411d7d4eed7b622ca2d1ea5495055da76216ee

SHA256
2d9b399a3a584808b4bd38d9f6a12752e2b02875f92252f944a5bd7bf129e2f0

SHA512
a921faf7de2ae61421432ba176ef7254f005bc052d41054019d1fbc5714c213266c598a64cd4c3edd4cec35130e3ce8d7595bb2bcc7c669a20d69b0ca93277d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\cleaners\applecleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\cleaners\cleaner.bat

Filesize
3.2MB

MD5
0bef79984a785d284e225d3576239802

SHA1
0a759883c5cd8822f269eca241c4dc8c43d86220

SHA256
33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80

SHA512
d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx32.EXE

Filesize
451KB

MD5
feac8b5c2d2b99e7a3c8f1ba41ba3472

SHA1
002bd5344c44f288c22e69b5e2846d515bfa429e

SHA256
7fce635cb66dc1286856a1f1f281b90431288be4a9647a8e0cbd2a0346748b95

SHA512
b95b83545ca45453e6d64b7c2cf276932eded9658187aa91dcff948e59c313ae071b0059a481cd7b01aae778fc4fda71aa830fb99b84197fb17e03e9a10e8e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.exe

Filesize
377KB

MD5
b4eceb90668db85712e66fd493ce4ca5

SHA1
951f3e9503b9b31a0c944355870dbfea0df32441

SHA256
bf8df68bbac80b4382206917b9bb46e8fd6cf76f6acd7374a3e6f5470681597c

SHA512
b912554fd863b237edd9f6518676ca9a190b7c7dc54024973a6062da8bf5ce8c6ad16219032cb0ed1ade7d2b5a855a6dc2aeb71c0ddde476a8bec64068ba0284

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\CupFixerx64.sys

Filesize
27KB

MD5
2b3e0db4f00d4b3d0b4d178234b02e72

SHA1
622e7bffda8c80997e149ac11492625572e386e0

SHA256
8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9

SHA512
8f200a2e13aa8a977c94509af5a0fe20e7964a7611e11aaa5ecd5aba73a60275f6f57ed3a6861b82832babfcfe5ec90f0c9067c65ef48f6c7fce69f7ad87baff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\gsoftgmx64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaners\spoofers\serial_checker.bat

Filesize
437B

MD5
0c088b6adc55c20fc375badef6f7e9a7

SHA1
37c865ebfe537b94534844281e9086462f3e2462

SHA256
51f783d41ad3a807344eb9550d65cb4638793aac71f4eb4a1a11414b24e339e1

SHA512
7f82c647413f997a537148ab7d1e8a5cff9fef18561783f329485dbb67ab76a2a8defa0a7304feb7e1e79645b50b8cb2d4a069ff3ec668542fdefb1adbde6f5d

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
142KB

MD5
1bd26a75846ce780d72b93caffac89f6

SHA1
ff89b7c5e8c46c6c2e52383849bbf008bd91d66e

SHA256
55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a

SHA512
4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
147KB

MD5
6d4b430c2abf0ec4ca1909e6e2f097db

SHA1
97c330923a6380fe8ea8e440ce2c568594d3fff7

SHA256
44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e

SHA512
cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6adbb878124fcd6561655718f12bff5f

SHA1
1711619dda04178fb47eea6658da6ad52f6cf660

SHA256
0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf

SHA512
88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
d4b57c62c54e6f62c2239177730248d8

SHA1
7d81fe1eac0d666aaa01064cbcdf51c1d44db819

SHA256
7fb738ffc037deb30ac1aa843af1dfed6772fcae0055e409ff6f5cd7b651716b

SHA512
9939e6835587f814ab575a4ba616f151ef649bac79b207b3536fe38228ebfd55ce50d1bd17d4dc3c11aefc8d421a7c20bee13ffc4a314915a7e50a5e4ce13e6f

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
125KB

MD5
eef14d868d4e0c2354c345abc4902445

SHA1
173c39e29dbe6dfd5044f5f788fa4e7618d68d4d

SHA256
9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f

SHA512
c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
710KB

MD5
82d7f8765db25b313ecf436572dbe840

SHA1
da9ed48d5386a1133f878b3e00988cbf4cdebab8

SHA256
3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3

SHA512
59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
680KB

MD5
407f4fed9a4510646f33a2869a184de8

SHA1
e2e622f36b28057bbfbaee754ab6abac2de04778

SHA256
64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615

SHA512
1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
754KB

MD5
4e62108a0d4a00aa39624f4f941d2595

SHA1
7fbff1d3ac293c715a303ac37da0ceb12591028b

SHA256
3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263

SHA512
c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
758KB

MD5
b87c7ea0e738fc61eb32a94fbd6c6775

SHA1
0e730aa70900f623205b93cb1d6e11be4c0d51b5

SHA256
6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0

SHA512
4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
747KB

MD5
af84da8efc4350425986bd8d1f9e4aa2

SHA1
d475f5d5003d2152d8f9d976fd762b474e0857fc

SHA256
802e68c2a17427e31589ee76fba78534fa56612d7b20dcdba0c468b06be13e75

SHA512
6ef39476f69635ef1891deb43f251f4077030b3478d771409c84940f9f6128ee4850ee04687cda923816421935ba3cd06ca3e381a3af9e3e17f105f5aa9fc7c6

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
462KB

MD5
906500b906ff5714abfb310609a6207e

SHA1
e085597f06df2b986f482f37d6077247d76c0cba

SHA256
82df03abd566227a4ec99ceae023f79d5886e93b425ecc4a54f53452593f60f1

SHA512
54c5b7cc290aeb34c93c7c1301d90aac2a1190d6e92893b86264682d91930df9e91c644a00c566841031efc3a0c71322106b8c1ce679e026930094c778e77b96

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads