4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10/07/2024, 02:30

240710-czl2gstcke 10

20/06/2024, 12:39

20/06/2024, 12:36

20/06/2024, 12:35

20/06/2024, 12:33

Analysis

max time kernel
1778s
max time network
1508s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
20/06/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaners/cleaner.bat
Size

3.2MB
MD5

0bef79984a785d284e225d3576239802
SHA1

0a759883c5cd8822f269eca241c4dc8c43d86220
SHA256

33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
SHA512

d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
SSDEEP

49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

Score

10^/10

evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\3B72DD6E3EC71817FF6A001F937A7FBD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B12A30844EDF486DC68A883EAEE07EFD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\341285245F81AA74FE6654017E06C685.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1A912C581AC70DC296224968C7240F2E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B3D1279CF76B72D4874D43A6EF458EF8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDB534A0AD75CF6CD3441C25046B8E9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\22BD4E705855FAECE7FFAB23C49D3662.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\476C3FD56A0D8BA1E9A4920B9C079DD6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB4B73F19DDA515AB1E7FD7FAFBFBA15.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FC4DF9001B20616C9CB1D98663B7AB78.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A9731CFE1446C44B70574B7A3A9B02A8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5DB779D375458B0C6A4B80A5D8B0F07B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7F269E749ABFFBDB9D9CDEE2B0A41AAF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D9FB2EA84EA550889AB9F744527912A4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\79A1347BEE2DDBA266DAC7663C7EC688.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BA62993AB44625B7F9C02CD09C60C108.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\17FFDF80330024B07853138CB5AFAD9C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\65C95633233A81A21D5557E0804A562A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\46338086849864D67B0CF6203CC83708.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0C75BF6FEE0CC2FB2C6FB6B4B0E167EF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CF8C0786491B25E81EAF9CD909AF06EA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B5A184297A8D5F53BE1B1947FF802729.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\97AFF9FD1B08479A0422F3DE41252DCB.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2C142C4C15E3B8D139B98154CD083071.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D04CF75CF95177478D7A2AB8BA487705.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1E97A05DE566CF6EEAE29D0634E27392.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\092389D621F5A8834203DAAC74CCA279.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\26869DC91CC97FBAE032BEA74B1F7AB8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E64C812BDB57F02CCE1B5804475861B7.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B5BDC89EC19D4D61972165BBEEDD9E38.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1C078F108857519908F320C9860EA9D8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A7575F8DE31A912FFE91A7A41B1E382A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF8BF6B131E93D11C67D810B1AAE1BC3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BBC8E4A673BF0F9776AFB59B78F6037E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0F718F60C57DAA7F0D86AE75EADAEEC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AC7364DB8095313CD61CF47141AF3F0B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A09A7FDBA9278B3329DD4662E80BFE42.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FD38E89965714BC8838FE9C66DB5567D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A0925B7CAE67304DB8A7D8B009B810D1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\055E3AB08EE69CBCCCA3B8F96350A405.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9A369ECD2244BCD3426557FDA9A258A0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FE978D9B7A5E71D84CFCDA0F2EFBDBF2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F8B5EEAA63CB208A0E9ADBD73A3443CC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\BD786BABAAB72CA7E7213B34441CCEB8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\41648FA3AF58F3ACA0843F25FC7B4D28.mof	mofcomp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3880	sc.exe
904	sc.exe
4884	sc.exe
4160	sc.exe
3556	sc.exe
480	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
644	taskkill.exe
3164	taskkill.exe
2408	taskkill.exe
876	taskkill.exe
1072	taskkill.exe
2212	taskkill.exe
2352	taskkill.exe
3056	taskkill.exe
1848	taskkill.exe
4936	taskkill.exe
2948	taskkill.exe
2344	taskkill.exe
3336	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\CurVer\ = "Krnlprov.KernelTraceProvider.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6DAF9757-2E37-11D2-AEC9-00C04FB68820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0725C3CB-FEFB-11D0-99F9-00C04FC2F8EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA70DDF4-E11C-11D1-ABB0-00C04FD9159E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854D745C-6742-42C0-8BB9-01EC466B6E87}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCF33DF4-B510-439F-832A-16B6B514F2A7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D76D1B-B12E-4913-8F48-671B90195A2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755F9DA7-7508-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{47DFBE54-CF76-11D3-B38F-00105A1F473A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BE41572-91DD-11D1-AEB2-00C04FB68820}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemRefresher\CurVer\ = "WbemScripting.SWbemRefresher.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37196B39-CCCF-11D2-B35C-00105A1F8177}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAC8A024-21E2-4523-AD73-A71A0AA2F56A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\ = "Win32_JobObjectLimitInfo Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\ = "WBEM Scripting Locator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA2AF3B4-C15E-412b-B453-557746675FB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{D269BF5C-D9C1-11D3-B38F-00105A1F473A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

pid	Process
2868	reg.exe
4632	reg.exe
4408	reg.exe
1072	reg.exe
4908	reg.exe
740	reg.exe
2120	reg.exe
3248	reg.exe
1080	reg.exe
820	reg.exe
3036	reg.exe
480	reg.exe
2776	reg.exe
844	reg.exe
2948	reg.exe
2040	reg.exe
2000	reg.exe
3508	reg.exe
4532	reg.exe
988	reg.exe
3112	reg.exe
3056	reg.exe
2980	reg.exe
2904	reg.exe
4712	reg.exe
2724	reg.exe
4056	reg.exe
976	reg.exe
3512	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeSecurityPrivilege	780	mofcomp.exe
Token: SeAssignPrimaryTokenPrivilege	2264	svchost.exe
Token: SeIncreaseQuotaPrivilege	2264	svchost.exe
Token: SeSecurityPrivilege	2264	svchost.exe
Token: SeTakeOwnershipPrivilege	2264	svchost.exe
Token: SeLoadDriverPrivilege	2264	svchost.exe
Token: SeSystemtimePrivilege	2264	svchost.exe
Token: SeBackupPrivilege	2264	svchost.exe
Token: SeRestorePrivilege	2264	svchost.exe
Token: SeShutdownPrivilege	2264	svchost.exe
Token: SeSystemEnvironmentPrivilege	2264	svchost.exe
Token: SeUndockPrivilege	2264	svchost.exe
Token: SeManageVolumePrivilege	2264	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2264	svchost.exe
Token: SeIncreaseQuotaPrivilege	2264	svchost.exe
Token: SeSecurityPrivilege	2264	svchost.exe
Token: SeTakeOwnershipPrivilege	2264	svchost.exe
Token: SeLoadDriverPrivilege	2264	svchost.exe
Token: SeSystemtimePrivilege	2264	svchost.exe
Token: SeBackupPrivilege	2264	svchost.exe
Token: SeRestorePrivilege	2264	svchost.exe
Token: SeShutdownPrivilege	2264	svchost.exe
Token: SeSystemEnvironmentPrivilege	2264	svchost.exe
Token: SeUndockPrivilege	2264	svchost.exe
Token: SeManageVolumePrivilege	2264	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2264	svchost.exe
Token: SeIncreaseQuotaPrivilege	2264	svchost.exe
Token: SeSecurityPrivilege	2264	svchost.exe
Token: SeTakeOwnershipPrivilege	2264	svchost.exe
Token: SeLoadDriverPrivilege	2264	svchost.exe
Token: SeSystemtimePrivilege	2264	svchost.exe
Token: SeBackupPrivilege	2264	svchost.exe
Token: SeRestorePrivilege	2264	svchost.exe
Token: SeShutdownPrivilege	2264	svchost.exe
Token: SeSystemEnvironmentPrivilege	2264	svchost.exe
Token: SeUndockPrivilege	2264	svchost.exe
Token: SeManageVolumePrivilege	2264	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2264	svchost.exe
Token: SeIncreaseQuotaPrivilege	2264	svchost.exe
Token: SeSecurityPrivilege	2264	svchost.exe
Token: SeTakeOwnershipPrivilege	2264	svchost.exe
Token: SeLoadDriverPrivilege	2264	svchost.exe
Token: SeSystemtimePrivilege	2264	svchost.exe
Token: SeBackupPrivilege	2264	svchost.exe
Token: SeRestorePrivilege	2264	svchost.exe
Token: SeShutdownPrivilege	2264	svchost.exe
Token: SeSystemEnvironmentPrivilege	2264	svchost.exe
Token: SeUndockPrivilege	2264	svchost.exe
Token: SeManageVolumePrivilege	2264	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2264	svchost.exe
Token: SeIncreaseQuotaPrivilege	2264	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 5060	2316	cmd.exe	79
PID 2316 wrote to memory of 5060	2316	cmd.exe	79
PID 2316 wrote to memory of 3336	2316	cmd.exe	80
PID 2316 wrote to memory of 3336	2316	cmd.exe	80
PID 2316 wrote to memory of 644	2316	cmd.exe	83
PID 2316 wrote to memory of 644	2316	cmd.exe	83
PID 2316 wrote to memory of 3164	2316	cmd.exe	84
PID 2316 wrote to memory of 3164	2316	cmd.exe	84
PID 2316 wrote to memory of 4936	2316	cmd.exe	85
PID 2316 wrote to memory of 4936	2316	cmd.exe	85
PID 2316 wrote to memory of 1072	2316	cmd.exe	86
PID 2316 wrote to memory of 1072	2316	cmd.exe	86
PID 2316 wrote to memory of 2408	2316	cmd.exe	87
PID 2316 wrote to memory of 2408	2316	cmd.exe	87
PID 2316 wrote to memory of 876	2316	cmd.exe	88
PID 2316 wrote to memory of 876	2316	cmd.exe	88
PID 2316 wrote to memory of 2212	2316	cmd.exe	89
PID 2316 wrote to memory of 2212	2316	cmd.exe	89
PID 2316 wrote to memory of 2352	2316	cmd.exe	90
PID 2316 wrote to memory of 2352	2316	cmd.exe	90
PID 2316 wrote to memory of 3056	2316	cmd.exe	91
PID 2316 wrote to memory of 3056	2316	cmd.exe	91
PID 2316 wrote to memory of 2948	2316	cmd.exe	92
PID 2316 wrote to memory of 2948	2316	cmd.exe	92
PID 2316 wrote to memory of 1848	2316	cmd.exe	93
PID 2316 wrote to memory of 1848	2316	cmd.exe	93
PID 2316 wrote to memory of 2344	2316	cmd.exe	94
PID 2316 wrote to memory of 2344	2316	cmd.exe	94
PID 2316 wrote to memory of 3880	2316	cmd.exe	95
PID 2316 wrote to memory of 3880	2316	cmd.exe	95
PID 2316 wrote to memory of 904	2316	cmd.exe	96
PID 2316 wrote to memory of 904	2316	cmd.exe	96
PID 2316 wrote to memory of 4884	2316	cmd.exe	97
PID 2316 wrote to memory of 4884	2316	cmd.exe	97
PID 2316 wrote to memory of 3556	2316	cmd.exe	98
PID 2316 wrote to memory of 3556	2316	cmd.exe	98
PID 2316 wrote to memory of 4160	2316	cmd.exe	99
PID 2316 wrote to memory of 4160	2316	cmd.exe	99
PID 2316 wrote to memory of 648	2316	cmd.exe	100
PID 2316 wrote to memory of 648	2316	cmd.exe	100
PID 648 wrote to memory of 4280	648	net.exe	101
PID 648 wrote to memory of 4280	648	net.exe	101
PID 2316 wrote to memory of 4472	2316	cmd.exe	103
PID 2316 wrote to memory of 4472	2316	cmd.exe	103
PID 2316 wrote to memory of 5052	2316	cmd.exe	104
PID 2316 wrote to memory of 5052	2316	cmd.exe	104
PID 2316 wrote to memory of 1476	2316	cmd.exe	105
PID 2316 wrote to memory of 1476	2316	cmd.exe	105
PID 2316 wrote to memory of 488	2316	cmd.exe	106
PID 2316 wrote to memory of 488	2316	cmd.exe	106
PID 2316 wrote to memory of 3428	2316	cmd.exe	107
PID 2316 wrote to memory of 3428	2316	cmd.exe	107
PID 2316 wrote to memory of 2888	2316	cmd.exe	108
PID 2316 wrote to memory of 2888	2316	cmd.exe	108
PID 2316 wrote to memory of 2848	2316	cmd.exe	109
PID 2316 wrote to memory of 2848	2316	cmd.exe	109
PID 2316 wrote to memory of 2604	2316	cmd.exe	110
PID 2316 wrote to memory of 2604	2316	cmd.exe	110
PID 2316 wrote to memory of 4968	2316	cmd.exe	111
PID 2316 wrote to memory of 4968	2316	cmd.exe	111
PID 2316 wrote to memory of 456	2316	cmd.exe	112
PID 2316 wrote to memory of 456	2316	cmd.exe	112
PID 2316 wrote to memory of 1048	2316	cmd.exe	113
PID 2316 wrote to memory of 1048	2316	cmd.exe	113

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:5060
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:3880
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  PID:904
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:4884
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  PID:3556
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:4160
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:4472
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s appbackgroundtask.dll
  2⤵
  PID:5052
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  - Modifies registry class
  PID:1476
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv.dll
  2⤵
  PID:488
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv1.dll
  2⤵
  PID:3428
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientcim.dll
  2⤵
  PID:2888
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientpsprovider.dll
  2⤵
  PID:2848
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Dscpspluginwkr.dll
  2⤵
  PID:2604
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  PID:4968
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EmbeddedLockdownWmi.dll
  2⤵
  PID:456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  PID:1048
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EventTracingManagement.dll
  2⤵
  PID:656
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Modifies registry class
  PID:2596
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprr.dll
  2⤵
  PID:4708
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprv.dll
  2⤵
  PID:2664
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  - Modifies registry class
  PID:720
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMAppProv.dll
  2⤵
  PID:5096
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMSettingsProv.dll
  2⤵
  PID:4980
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
  2⤵
  PID:3924
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.Uev.AgentWmi.dll
  2⤵
  - Modifies registry class
  PID:2452
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  PID:5080
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  - Modifies registry class
  PID:3836
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  PID:2340
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msdtcwmi.dll
  2⤵
  PID:2852
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  PID:3644
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  PID:2004
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ndisimplatcim.dll
  2⤵
  PID:2828
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetAdapterCim.dll
  2⤵
  PID:4076
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netdacim.dll
  2⤵
  PID:2108
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetEventPacketCapture.dll
  2⤵
  PID:3876
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netnccim.dll
  2⤵
  PID:4300
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetPeerDistCim.dll
  2⤵
  PID:5068
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netswitchteamcim.dll
  2⤵
  PID:1948
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetTCPIP.dll
  2⤵
  PID:1096
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netttcim.dll
  2⤵
  PID:2016
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s nlmcim.dll
  2⤵
  PID:4292
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  - Modifies registry class
  PID:2760
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  - Modifies registry class
  PID:3456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PrintManagementProvider.dll
  2⤵
  PID:1448
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s qoswmi.dll
  2⤵
  PID:3496
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  PID:924
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  PID:1768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s schedprov.dll
  2⤵
  PID:3904
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  PID:4124
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  PID:2260
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Modifies registry class
  PID:3628
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  PID:4668
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  - Modifies registry class
  PID:4644
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vpnclientpsprovider.dll
  2⤵
  PID:5060
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  - Modifies registry class
  PID:2280
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  PID:1792
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  - Modifies registry class
  PID:4580
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  PID:2896
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Modifies registry class
  PID:2008
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  - Modifies registry class
  PID:2532
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  - Modifies registry class
  PID:2952
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Modifies registry class
  PID:4564
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WdacWmiProv.dll
  2⤵
  PID:3992
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wfascim.dll
  2⤵
  PID:4528
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  PID:4040
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  PID:4088
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  PID:876
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  PID:3972
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in Windows directory
  PID:2212
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  PID:4148
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  PID:3120
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  - Modifies registry class
  PID:2376
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  PID:1556
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  PID:3124
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  - Modifies registry class
  PID:4068
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  - Modifies registry class
  PID:4272
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  PID:4480
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  PID:3248
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Modifies registry class
  PID:3084
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  - Modifies registry class
  PID:556
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  - Modifies registry class
  PID:2236
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  - Modifies registry class
  PID:4532
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  PID:4824
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  PID:2688
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  - Modifies registry class
  PID:4916
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:2944
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:808
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:480
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:1436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aeinv.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmi.mof
  2⤵
  PID:3492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
  2⤵
  PID:1460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
  2⤵
  PID:960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  - Drops file in System32 directory
  PID:4600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  PID:4696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  PID:4364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\CIWmi.mof
  2⤵
  PID:1448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\classlog.mof
  2⤵
  - Drops file in System32 directory
  PID:1124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  PID:4672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  - Drops file in System32 directory
  PID:4476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ddp.mof
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  PID:4936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
  2⤵
  PID:1368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
  2⤵
  PID:1896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
  2⤵
  - Drops file in System32 directory
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
  2⤵
  PID:4404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCore.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
  2⤵
  PID:4068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dscproxy.mof
  2⤵
  PID:3248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscTimer.mof
  2⤵
  PID:556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  PID:2176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
  2⤵
  PID:4380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
  2⤵
  PID:4280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  PID:3888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  PID:1464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  PID:2392
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  PID:960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  PID:2180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  PID:1892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  PID:4356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  PID:1076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  - Drops file in System32 directory
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  PID:4180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  PID:3200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  PID:4672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  - Drops file in System32 directory
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
  2⤵
  PID:2824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipmiprv.mof
  2⤵
  PID:2952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  PID:4088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  PID:4372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  - Drops file in System32 directory
  PID:4908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  PID:1008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
  2⤵
  - Drops file in System32 directory
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
  2⤵
  PID:576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  PID:3408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  PID:4996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  - Drops file in System32 directory
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  PID:3248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  PID:3580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:3080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
  2⤵
  PID:2256
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
  2⤵
  PID:8
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:4108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:1464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
  2⤵
  PID:2392
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
  2⤵
  PID:3372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:4492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace.mof
  2⤵
  PID:3912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
  2⤵
  PID:4696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpeval.mof
  2⤵
  PID:2912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:1880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  PID:1324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:4936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
  2⤵
  PID:876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  PID:820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  PID:904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
  2⤵
  PID:3124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
  2⤵
  PID:804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
  2⤵
  PID:988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim.mof
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
  2⤵
  PID:332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
  2⤵
  PID:2844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
  2⤵
  PID:1460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
  2⤵
  PID:2288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
  2⤵
  PID:3968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
  2⤵
  PID:4076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim.mof
  2⤵
  - Drops file in System32 directory
  PID:4460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
  2⤵
  PID:1892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:4696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim.mof
  2⤵
  - Drops file in System32 directory
  PID:3448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
  2⤵
  PID:1300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  PID:356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\npivwmi.mof
  2⤵
  PID:1992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  PID:2516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:4852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
  2⤵
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
  2⤵
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:4612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  PID:4640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:1428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:4548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
  2⤵
  PID:1684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
  2⤵
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:2692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:3088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  - Drops file in System32 directory
  PID:3440
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:3248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:1036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:1016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:2780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerPolicyProvider.mof
  2⤵
  PID:1048
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  - Drops file in System32 directory
  PID:1460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:2288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  PID:2676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
  2⤵
  - Drops file in System32 directory
  PID:4460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
  2⤵
  PID:4752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
  2⤵
  PID:4688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  - Drops file in System32 directory
  PID:3200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  PID:4060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  PID:4564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refs.mof
  2⤵
  PID:1612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refsv1.mof
  2⤵
  PID:4936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  - Drops file in System32 directory
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
  2⤵
  PID:1896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  PID:1204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  PID:2532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedProv.mof
  2⤵
  - Drops file in System32 directory
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  PID:3348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:2904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  PID:2944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  PID:980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  - Drops file in System32 directory
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:4968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
  2⤵
  PID:3756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  PID:4684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  - Drops file in System32 directory
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:3968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi.mof
  2⤵
  - Drops file in System32 directory
  PID:3876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
  2⤵
  - Drops file in System32 directory
  PID:4460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
  2⤵
  PID:5024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:4304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  PID:4752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  - Drops file in System32 directory
  PID:1200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:2524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  PID:4056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:2952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:3972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:2776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:4612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:4640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
  2⤵
  PID:1204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  PID:2980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:4884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:4072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
  2⤵
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
  2⤵
  PID:3772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
  2⤵
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
  2⤵
  - Drops file in System32 directory
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim.mof
  2⤵
  PID:4100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
  2⤵
  PID:4684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:3832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:3372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:4076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
  2⤵
  PID:3912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  PID:3456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  PID:3540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  - Drops file in System32 directory
  PID:2912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:4672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:1652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:3452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:2192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  PID:4040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:2952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:4836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:3936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  - Drops file in System32 directory
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  PID:2876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:4908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:1328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  - Drops file in System32 directory
  PID:3368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  PID:1420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  PID:3124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:4824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:4500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:3804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:4308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:3608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:2596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:3492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgent.mof
  2⤵
  PID:4276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
  2⤵
  PID:3836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:5092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs.mof
  2⤵
  PID:612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
  2⤵
  PID:5088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health.mof
  2⤵
  - Drops file in System32 directory
  PID:5068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
  2⤵
  PID:408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr.mof
  2⤵
  PID:2248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
  2⤵
  PID:680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
  2⤵
  PID:2724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
  2⤵
  PID:1300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:4476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C599AFA5A6F053BAD70179501868318E.mof
  2⤵
  - Drops file in System32 directory
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\aeinv.mfl
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask.mfl
  2⤵
  PID:1324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\appbackgroundtask_uninstall.mfl
  2⤵
  PID:2120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
  2⤵
  PID:4936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
  2⤵
  PID:4764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\CIWmi.mfl
  2⤵
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ddp.mfl
  2⤵
  PID:3800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientcim.mfl
  2⤵
  PID:4840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider.mfl
  2⤵
  - Drops file in System32 directory
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dnsclientpsprovider_uninstall.mfl
  2⤵
  PID:4636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscCore.mfl
  2⤵
  PID:1004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscCoreConfProv.mfl
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscProxy.mfl
  2⤵
  - Drops file in System32 directory
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\DscTimer.mfl
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:2668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\embeddedlockdownwmi_Uninstall.mfl
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\EventTracingManagement.mfl
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\FolderRedirectionWMIProvider.mfl
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
  2⤵
  - Drops file in System32 directory
  PID:3716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
  2⤵
  - Drops file in System32 directory
  PID:4980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ipmiprv.mfl
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
  2⤵
  PID:3836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
  2⤵
  PID:5084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2.mfl
  2⤵
  PID:612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiwmiv2_uninstall.mfl
  2⤵
  PID:4460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
  2⤵
  - Drops file in System32 directory
  PID:5068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
  2⤵
  PID:3484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv.mfl
  2⤵
  PID:4388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMAppProv_Uninstall.mfl
  2⤵
  - Drops file in System32 directory
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv.mfl
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MDMSettingsProv_Uninstall.mfl
  2⤵
  PID:4752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:4124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mispace.mfl
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mispace_uninstall.mfl
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mpeval.mfl
  2⤵
  PID:2608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MsDtcWmi.mfl
  2⤵
  PID:3332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
  2⤵
  PID:3972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
  2⤵
  PID:3992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
  2⤵
  - Drops file in System32 directory
  PID:4836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\MsNetImPlatform.mfl
  2⤵
  PID:4612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
  2⤵
  PID:1316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
  2⤵
  - Drops file in System32 directory
  PID:2356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
  2⤵
  - Drops file in System32 directory
  PID:2976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim.mfl
  2⤵
  PID:1684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl
  2⤵
  - Drops file in System32 directory
  PID:3240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCimTraceUninstall.mfl
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetAdapterCim_uninstall.mfl
  2⤵
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netdacim.mfl
  2⤵
  - Drops file in System32 directory
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netdacim_uninstall.mfl
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture.mfl
  2⤵
  - Drops file in System32 directory
  PID:988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetEventPacketCapture_Uninstall.mfl
  2⤵
  PID:2136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netnccim.mfl
  2⤵
  PID:460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netnccim_uninstall.mfl
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim.mfl
  2⤵
  - Drops file in System32 directory
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetPeerDistCim_uninstall.mfl
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetSwitchTeam.mfl
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP.mfl
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netttcim.mfl
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\netttcim_uninstall.mfl
  2⤵
  PID:4980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\nlmcim.mfl
  2⤵
  - Drops file in System32 directory
  PID:4604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\nlmcim_uninstall.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\npivwmi.mfl
  2⤵
  PID:5064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider.mfl
  2⤵
  - Drops file in System32 directory
  PID:4356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesConfigurationWmiProvider_Uninstall.mfl
  2⤵
  PID:1424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
  2⤵
  PID:4680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice.mfl
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl
  2⤵
  PID:1300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
  2⤵
  - Drops file in System32 directory
  PID:3200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
  2⤵
  PID:4564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
  2⤵
  PID:2384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PowerPolicyProvider.mfl
  2⤵
  PID:2120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PrintManagementProvider.mfl
  2⤵
  PID:2040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
  2⤵
  PID:3936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PS_MMAgent.mfl
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:1204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc.mfl
  2⤵
  PID:3880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmitrc_uninstall.mfl
  2⤵
  PID:2212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\qoswmi_uninstall.mfl
  2⤵
  PID:3244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
  2⤵
  - Drops file in System32 directory
  PID:4088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
  2⤵
  - Drops file in System32 directory
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
  2⤵
  PID:3120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
  2⤵
  PID:4712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\schedprov.mfl
  2⤵
  PID:3248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
  2⤵
  - Drops file in System32 directory
  PID:780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\SmbWitnessWmiv2Provider.mfl
  2⤵
  PID:648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smbwmiv2.mfl
  2⤵
  PID:236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
  2⤵
  PID:2484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:3492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru.mfl
  2⤵
  - Drops file in System32 directory
  PID:4716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_passthru_uninstall.mfl
  2⤵
  PID:3832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\storagewmi_uninstall.mfl
  2⤵
  PID:4604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\system.mfl
  2⤵
  - Drops file in System32 directory
  PID:5064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:4356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileConfigurationWmiProvider.mfl
  2⤵
  PID:3484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
  2⤵
  PID:3540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserStateWMIProvider.mfl
  2⤵
  PID:2248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
  2⤵
  PID:1880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider.mfl
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vpnclientpsprovider_uninstall.mfl
  2⤵
  PID:1300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
  2⤵
  - Drops file in System32 directory
  PID:3144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
  2⤵
  PID:4616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
  2⤵
  PID:2608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv.mfl
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WdacWmiProv_Uninstall.mfl
  2⤵
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfascim.mfl
  2⤵
  PID:4556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfascim_uninstall.mfl
  2⤵
  PID:848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
  2⤵
  PID:4756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl
  2⤵
  PID:4172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
  2⤵
  PID:1428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
  2⤵
  PID:3096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
  2⤵
  PID:1008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
  2⤵
  PID:1192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
  2⤵
  - Drops file in System32 directory
  PID:4636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
  2⤵
  - Drops file in System32 directory
  PID:3408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
  2⤵
  PID:3124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
  2⤵
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
  2⤵
  PID:4712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
  2⤵
  PID:3248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
  2⤵
  PID:456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
  2⤵
  PID:1372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_fs.mfl
  2⤵
  PID:4340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_fs_uninstall.mfl
  2⤵
  PID:2596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_health.mfl
  2⤵
  PID:3108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_health_uninstall.mfl
  2⤵
  PID:5096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_sr.mfl
  2⤵
  - Drops file in System32 directory
  PID:3756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wsp_sr_uninstall.mfl
  2⤵
  PID:3040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
  2⤵
  PID:436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx02000.mfl
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_EAC.exe: B1 8A B0 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\EasyAntiCheat\EasyAntiCheat_Setup.exe: 73 D5 4B 11 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:4660
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2532382528-581214834-2534474248-1001\\Device\HarddiskVolume3\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe: E7 CB 84 E9 8D 13 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00" /f"
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  reg delete "HKU\.Dreg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:4460
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:1232
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:708
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:4504
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:1124
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games."" /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat\GamesInstalled: "217;"" /f
  2⤵
  PID:2348
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Type: 0x00000010" /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Start: 0x00000003" /f
  2⤵
  PID:4644
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f
  2⤵
  PID:4416
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\WOW64: 0x0000014C" /f
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f"
  2⤵
  PID:356
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f"
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f"
  2⤵
  PID:3200
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:4512
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Type: 0x00000010" /f"
  2⤵
  PID:1112
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Start: 0x00000003" /f"
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ErrorControl: 0x00000001" /f"
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ImagePath: ""C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe""" /f"
  2⤵
  PID:4476
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\DisplayName: "EasyAntiCheat"" /f"
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\WOW64: 0x0000014C" /f"
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\ObjectName: "LocalSystem"" /f"
  2⤵
  PID:3156
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Description: "Provides integrated security and services for online multiplayer games. /f"
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f"
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 05 00 00 00 00 00 14 00 30 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00" /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d r3176 /f
  2⤵
  - Modifies registry key
  PID:4632
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d r26983 /f
  2⤵
  - Modifies registry key
  PID:2776
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be5254} /f
  2⤵
  - Modifies registry key
  PID:844
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee196-5993-5327-7755} /f
  2⤵
  - Modifies registry key
  PID:2120
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {fefefe27578-14581-5919-14270} /f
  2⤵
  - Modifies registry key
  PID:2724
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d r15993 /f
  2⤵
  - Modifies registry key
  PID:4056
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r25269 /f
  2⤵
  - Modifies registry key
  PID:2040
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r13870 /f
  2⤵
  - Modifies registry key
  PID:4408
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd32490-4140-15156-31269} /f
  2⤵
  - Modifies registry key
  PID:3112
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {BE10211} /f
  2⤵
  - Modifies registry key
  PID:3056
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {7916-14649-11141-4787} /f
  2⤵
  - Modifies registry key
  PID:1072
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {24036-2389-29292-32151} /f
  2⤵
  - Modifies registry key
  PID:2948
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 11954 /f
  2⤵
  - Modifies registry key
  PID:1080
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 29112 /f
  2⤵
  - Modifies registry key
  PID:4908
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 31508 /f
  2⤵
  - Modifies registry key
  PID:976
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10092-18961-10312-17308 /f
  2⤵
  - Modifies registry key
  PID:2980
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30308 /f
  2⤵
  - Modifies registry key
  PID:2000
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {7093-20213-30475-30461} /f
  2⤵
  - Modifies registry key
  PID:2868
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 5495-2630-31122-18228 /f
  2⤵
  - Modifies registry key
  PID:3508
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3692
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:4840
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:3240
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:4144
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
  2⤵
  PID:3772
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 15794 /f
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 26168 /f
  2⤵
  PID:3644
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 2577 /f
  2⤵
  - Modifies registry key
  PID:2904
- C:\Windows\system32\reg.exe
  REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 16885 /f
  2⤵
  - Modifies registry key
  PID:4532
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d TS-eac31981 /f
  2⤵
  - Modifies registry key
  PID:988
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d TS-32073 /f
  2⤵
  - Modifies registry key
  PID:820
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {eac7389} /f
  2⤵
  - Modifies registry key
  PID:3512
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {TS-32471-28346-5584-21441} /f
  2⤵
  - Modifies registry key
  PID:3036
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {TS-31238-14813-10639-14146} /f
  2⤵
  - Modifies registry key
  PID:740
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d TS-30848 /f
  2⤵
  - Modifies registry key
  PID:4712
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 13233 /f
  2⤵
  - Modifies registry key
  PID:480
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 2955 /f
  2⤵
  - Modifies registry key
  PID:3248
- C:\Windows\system32\reg.exe
  reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
  2⤵
  PID:332
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:780
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  - Enumerates system info in registry
  PID:456
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  - Enumerates system info in registry
  PID:4308
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  - Enumerates system info in registry
  PID:2052
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Enumerates system info in registry
  PID:4508
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Checks processor information in registry
  PID:2848
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc009.dat

Filesize
128KB

MD5
a9ae270f03cd818fc5ccb1fc114ed0f8

SHA1
57cfce4c18c0163fd41652ab89e4c51649eee492

SHA256
c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec

SHA512
5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
686KB

MD5
efeeda97e31eb12669293d78feaff451

SHA1
f3680730a9ed165f49be4a2b1be8477196f15afb

SHA256
a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834

SHA512
452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads