4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10/07/2024, 02:30

240710-czl2gstcke 10

20/06/2024, 12:39

20/06/2024, 12:36

20/06/2024, 12:35

20/06/2024, 12:33

Analysis

max time kernel
66s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10/07/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaners/cleaner.bat
Size

3.2MB
MD5

0bef79984a785d284e225d3576239802
SHA1

0a759883c5cd8822f269eca241c4dc8c43d86220
SHA256

33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
SHA512

d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
SSDEEP

49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

Score

10^/10

evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\2713EF0312125B926EC10D64C17DC18A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\05C3A1B4103106E2A6595CB64A18450B.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E8F3CA90E51B47160C820C8A9D25C70.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof	mofcomp.exe
File created	C:\Windows\system32\perfh00A.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3BB9AB7BAA63F54A0832A3003DBC2FD0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C905EF12F758786CE77068AE12F14D83.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D209D533EE8C97B5E2C46D035373F422.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\B0CDB37CD965AA678CCF2531689C22DE.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\ADE307452D6C84EC8BE606699DFFD89E.mof	mofcomp.exe
File created	C:\Windows\system32\perfc010.dat	regsvr32.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDF3F610F6DA16B8F758D81ADD6764AC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8EE8FC83289049798EE5B66322A8DA45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof	mofcomp.exe
File created	C:\Windows\system32\perfc00A.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\ADC76C6473F1C3722A0A86C2A9AED340.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A7575F8DE31A912FFE91A7A41B1E382A.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0C5C729E970878A5B11C5AE54A0B179.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\FB42973CC6B430B383BA62328763E302.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\03FA45E8AD14F8FCC81DC92CF18A9538.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0C75BF6FEE0CC2FB2C6FB6B4B0E167EF.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	regsvr32.exe
File created	C:\Windows\system32\perfh009.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\A4E4450F82FCBDED5A110855857A16B9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C59549B4F20BC001A0A645775AB7BE45.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9792C1210EF405B66D63B9792E3E9FB3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\C9FFD7DEF039EF1D8845837409469B2F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D97D08E4902AC1BCF40C06435990ED69.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof	mofcomp.exe
File created	C:\Windows\system32\perfh011.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\2572593894B364FF5F52C71028D4F15D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\CBD66ABF99AFFFA4375E215A3072C696.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\973858E80F1DA2CA957FCCD54F9B65F4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2E4D1429BE1911C37755271D939627EF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\4273CA093A54B161AE6A9FA019048CE8.mof	mofcomp.exe
File created	C:\Windows\system32\perfc007.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\FC4DF9001B20616C9CB1D98663B7AB78.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F28042F231A5DCF3E9C8B9281BDDB127.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD0B790C2468A8DCF73E8E2925527653.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\97823DC673AD0F92AB9B83F4C177678B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\57B0D59999DF0A672E8CDB1626320AC0.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0CC2654F09BDBA37220BC56ED1511F8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\46338086849864D67B0CF6203CC83708.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C848E1EED73B9992693EEDD7389E07F8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof	mofcomp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2960	sc.exe
3344	sc.exe
3660	sc.exe
2996	sc.exe
2124	sc.exe
1084	sc.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
8	taskkill.exe
3564	taskkill.exe
3540	taskkill.exe
2988	taskkill.exe
2356	taskkill.exe
2012	taskkill.exe
580	taskkill.exe
4936	taskkill.exe
4884	taskkill.exe
2340	taskkill.exe
1376	taskkill.exe
1172	taskkill.exe
4228	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C71566F2-561E-11D1-AD87-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SDSnapin.SDSnapin.1\ = "Service Dependencies Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7A3A54B-0250-11D3-9CD1-00105A1F4801}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E78DAD9-E187-4D6E-BA63-760256D6F405}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25411283-46FC-4326-8DF2-FF5D34B2DFEF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967901-68EC-11D0-B729-00AA0062CBB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemRefresher	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF2373F5-EFB2-475C-AD58-3102D61967D4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CurVer\ = "JobObjectProv.JobObjectProv.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107B-B06E-11D0-AD61-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E246107A-B06E-11D0-AD61-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B100E1A-1385-4D1F-A02E-6E705A76BB6C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAEAE72F-0328-4763-8ECB-23422EDE2DB5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C49E32C7-BC8B-11D2-85D4-00105A1F8304}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11CAA957-4E80-474E-A819-7FD72148ADA9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C0AA9D93-2EF5-47FB-960C-F90FC644B48E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CFC7932-0F9D-4BEF-9C32-8EA2A6B56FCB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FB1D98A-F895-4761-8DC2-774969C84D10}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjectProv.JobObjectProv\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B60EF4F1-A411-462B-B51E-477CBDBB90B4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemSink.1\ = "WBEM Scripting Sink 1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8107BDF-BAAF-4C7C-BB5F-9D732E8D8F07}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6515834D-6125-4878-A3A3-6B0A73B809A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0725C3CB-FEFB-11D0-99F9-00C04FC2F8EC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Krnlprov.KernelTraceProvider\ = "KernelTraceProvider Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}\InprocServer32\ = "C:\\Windows\\System32\\wbem\\Microsoft.Uev.AgentWmi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WINMGMTS\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31739D04-3471-4CF4-9A7C-57A44AE71956}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6B661-167E-4957-AD77-286AB256585E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\Implemented Categories\{00000003-0000-0000-C000-000000000046}	regsvr32.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeSecurityPrivilege	1844	mofcomp.exe
Token: SeAssignPrimaryTokenPrivilege	2872	svchost.exe
Token: SeIncreaseQuotaPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeTakeOwnershipPrivilege	2872	svchost.exe
Token: SeLoadDriverPrivilege	2872	svchost.exe
Token: SeSystemtimePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeShutdownPrivilege	2872	svchost.exe
Token: SeSystemEnvironmentPrivilege	2872	svchost.exe
Token: SeUndockPrivilege	2872	svchost.exe
Token: SeManageVolumePrivilege	2872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2872	svchost.exe
Token: SeIncreaseQuotaPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeTakeOwnershipPrivilege	2872	svchost.exe
Token: SeLoadDriverPrivilege	2872	svchost.exe
Token: SeSystemtimePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeShutdownPrivilege	2872	svchost.exe
Token: SeSystemEnvironmentPrivilege	2872	svchost.exe
Token: SeUndockPrivilege	2872	svchost.exe
Token: SeManageVolumePrivilege	2872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2872	svchost.exe
Token: SeIncreaseQuotaPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeTakeOwnershipPrivilege	2872	svchost.exe
Token: SeLoadDriverPrivilege	2872	svchost.exe
Token: SeSystemtimePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeShutdownPrivilege	2872	svchost.exe
Token: SeSystemEnvironmentPrivilege	2872	svchost.exe
Token: SeUndockPrivilege	2872	svchost.exe
Token: SeManageVolumePrivilege	2872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2872	svchost.exe
Token: SeIncreaseQuotaPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeTakeOwnershipPrivilege	2872	svchost.exe
Token: SeLoadDriverPrivilege	2872	svchost.exe
Token: SeSystemtimePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeShutdownPrivilege	2872	svchost.exe
Token: SeSystemEnvironmentPrivilege	2872	svchost.exe
Token: SeUndockPrivilege	2872	svchost.exe
Token: SeManageVolumePrivilege	2872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2872	svchost.exe
Token: SeIncreaseQuotaPrivilege	2872	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 5028	1632	cmd.exe	71
PID 1632 wrote to memory of 5028	1632	cmd.exe	71
PID 1632 wrote to memory of 8	1632	cmd.exe	72
PID 1632 wrote to memory of 8	1632	cmd.exe	72
PID 1632 wrote to memory of 4936	1632	cmd.exe	74
PID 1632 wrote to memory of 4936	1632	cmd.exe	74
PID 1632 wrote to memory of 2356	1632	cmd.exe	75
PID 1632 wrote to memory of 2356	1632	cmd.exe	75
PID 1632 wrote to memory of 4884	1632	cmd.exe	76
PID 1632 wrote to memory of 4884	1632	cmd.exe	76
PID 1632 wrote to memory of 2012	1632	cmd.exe	77
PID 1632 wrote to memory of 2012	1632	cmd.exe	77
PID 1632 wrote to memory of 3564	1632	cmd.exe	78
PID 1632 wrote to memory of 3564	1632	cmd.exe	78
PID 1632 wrote to memory of 2340	1632	cmd.exe	79
PID 1632 wrote to memory of 2340	1632	cmd.exe	79
PID 1632 wrote to memory of 3540	1632	cmd.exe	80
PID 1632 wrote to memory of 3540	1632	cmd.exe	80
PID 1632 wrote to memory of 2988	1632	cmd.exe	81
PID 1632 wrote to memory of 2988	1632	cmd.exe	81
PID 1632 wrote to memory of 1376	1632	cmd.exe	82
PID 1632 wrote to memory of 1376	1632	cmd.exe	82
PID 1632 wrote to memory of 580	1632	cmd.exe	83
PID 1632 wrote to memory of 580	1632	cmd.exe	83
PID 1632 wrote to memory of 1172	1632	cmd.exe	84
PID 1632 wrote to memory of 1172	1632	cmd.exe	84
PID 1632 wrote to memory of 4228	1632	cmd.exe	85
PID 1632 wrote to memory of 4228	1632	cmd.exe	85
PID 1632 wrote to memory of 1084	1632	cmd.exe	86
PID 1632 wrote to memory of 1084	1632	cmd.exe	86
PID 1632 wrote to memory of 2960	1632	cmd.exe	87
PID 1632 wrote to memory of 2960	1632	cmd.exe	87
PID 1632 wrote to memory of 3344	1632	cmd.exe	88
PID 1632 wrote to memory of 3344	1632	cmd.exe	88
PID 1632 wrote to memory of 3660	1632	cmd.exe	89
PID 1632 wrote to memory of 3660	1632	cmd.exe	89
PID 1632 wrote to memory of 2996	1632	cmd.exe	90
PID 1632 wrote to memory of 2996	1632	cmd.exe	90
PID 1632 wrote to memory of 996	1632	cmd.exe	91
PID 1632 wrote to memory of 996	1632	cmd.exe	91
PID 996 wrote to memory of 1264	996	net.exe	92
PID 996 wrote to memory of 1264	996	net.exe	92
PID 1632 wrote to memory of 1912	1632	cmd.exe	93
PID 1632 wrote to memory of 1912	1632	cmd.exe	93
PID 1632 wrote to memory of 2124	1632	cmd.exe	94
PID 1632 wrote to memory of 2124	1632	cmd.exe	94
PID 1632 wrote to memory of 4516	1632	cmd.exe	95
PID 1632 wrote to memory of 4516	1632	cmd.exe	95
PID 1632 wrote to memory of 2888	1632	cmd.exe	96
PID 1632 wrote to memory of 2888	1632	cmd.exe	96
PID 1632 wrote to memory of 2876	1632	cmd.exe	97
PID 1632 wrote to memory of 2876	1632	cmd.exe	97
PID 1632 wrote to memory of 2320	1632	cmd.exe	98
PID 1632 wrote to memory of 2320	1632	cmd.exe	98
PID 1632 wrote to memory of 2172	1632	cmd.exe	99
PID 1632 wrote to memory of 2172	1632	cmd.exe	99
PID 1632 wrote to memory of 4360	1632	cmd.exe	100
PID 1632 wrote to memory of 4360	1632	cmd.exe	100
PID 1632 wrote to memory of 3744	1632	cmd.exe	101
PID 1632 wrote to memory of 3744	1632	cmd.exe	101
PID 1632 wrote to memory of 652	1632	cmd.exe	102
PID 1632 wrote to memory of 652	1632	cmd.exe	102
PID 1632 wrote to memory of 4564	1632	cmd.exe	103
PID 1632 wrote to memory of 4564	1632	cmd.exe	103

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:5028
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:1084
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:3344
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  PID:3660
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:2996
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:1912
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s appbackgroundtask.dll
  2⤵
  PID:2124
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  PID:4516
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv.dll
  2⤵
  PID:2888
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv1.dll
  2⤵
  PID:2876
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientcim.dll
  2⤵
  PID:2320
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientpsprovider.dll
  2⤵
  PID:2172
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Dscpspluginwkr.dll
  2⤵
  PID:4360
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  - Modifies registry class
  PID:3744
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EmbeddedLockdownWmi.dll
  2⤵
  PID:652
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  PID:4564
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EventTracingManagement.dll
  2⤵
  PID:3516
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Modifies registry class
  PID:2564
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprr.dll
  2⤵
  PID:2620
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprv.dll
  2⤵
  PID:4532
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  - Modifies registry class
  PID:4152
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMAppProv.dll
  2⤵
  PID:4536
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMSettingsProv.dll
  2⤵
  PID:5008
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
  2⤵
  PID:2212
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.Uev.AgentWmi.dll
  2⤵
  - Modifies registry class
  PID:3684
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  PID:4148
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  PID:4020
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  PID:1532
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msdtcwmi.dll
  2⤵
  PID:4368
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  PID:2580
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  PID:3212
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ndisimplatcim.dll
  2⤵
  PID:2824
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetAdapterCim.dll
  2⤵
  PID:3448
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netdacim.dll
  2⤵
  PID:5048
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetEventPacketCapture.dll
  2⤵
  PID:4248
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netnccim.dll
  2⤵
  PID:4476
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetPeerDistCim.dll
  2⤵
  PID:3664
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netswitchteamcim.dll
  2⤵
  PID:1544
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetTCPIP.dll
  2⤵
  PID:3808
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netttcim.dll
  2⤵
  PID:4216
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s nlmcim.dll
  2⤵
  PID:4264
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  PID:1400
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  - Modifies registry class
  PID:1572
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PrintManagementProvider.dll
  2⤵
  PID:4260
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s qoswmi.dll
  2⤵
  PID:1412
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  - Modifies registry class
  PID:4824
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  PID:3004
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s schedprov.dll
  2⤵
  PID:3020
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  - Modifies registry class
  PID:1968
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  - Modifies registry class
  PID:1832
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Modifies registry class
  PID:4344
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  PID:2648
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  PID:5044
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vpnclientpsprovider.dll
  2⤵
  PID:5040
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  PID:2408
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  PID:2404
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  - Modifies registry class
  PID:5016
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  - Modifies registry class
  PID:3380
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Modifies registry class
  PID:748
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  PID:3708
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  PID:5028
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Modifies registry class
  PID:3668
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WdacWmiProv.dll
  2⤵
  PID:8
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WEMSAL_WmiProvider.dll
  2⤵
  PID:2308
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wfascim.dll
  2⤵
  PID:3336
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  PID:4852
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  PID:4904
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  PID:4884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  PID:2780
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2012
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  PID:2788
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  - Modifies registry class
  PID:2976
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  PID:3324
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  PID:4304
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  PID:3136
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  PID:2864
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  PID:4280
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  PID:4612
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  PID:2708
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Modifies registry class
  PID:3948
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  - Modifies registry class
  PID:4580
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  PID:2892
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  - Modifies registry class
  PID:2896
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  PID:4604
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  PID:2092
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  PID:3868
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WUAProvider.dll
  2⤵
  PID:1264
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:996
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:1912
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aeinv.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmi.mof
  2⤵
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:4164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
  2⤵
  - Drops file in System32 directory
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
  2⤵
  PID:3856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  PID:3448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  PID:384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  PID:68
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  PID:3320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\CIWmi.mof
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\classlog.mof
  2⤵
  - Drops file in System32 directory
  PID:5040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  - Drops file in System32 directory
  PID:1904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  PID:2560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ddp.mof
  2⤵
  - Drops file in System32 directory
  PID:2640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  PID:4948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
  2⤵
  PID:860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
  2⤵
  PID:2356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
  2⤵
  PID:4556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
  2⤵
  PID:4220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:3776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
  2⤵
  PID:3140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  PID:4588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCore.mof
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dscproxy.mof
  2⤵
  - Drops file in System32 directory
  PID:5004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscTimer.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
  2⤵
  PID:4140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  PID:2580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  PID:1880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  PID:4312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  PID:4476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:1080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  - Drops file in System32 directory
  PID:5024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  PID:2644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  PID:1892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  PID:4868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  PID:1724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
  2⤵
  PID:2944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipmiprv.mof
  2⤵
  - Drops file in System32 directory
  PID:4428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
  2⤵
  PID:4208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  PID:860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irda.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irmon.mof
  2⤵
  PID:1716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  - Drops file in System32 directory
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  PID:4280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
  2⤵
  - Drops file in System32 directory
  PID:4548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  - Drops file in System32 directory
  PID:5072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  PID:3868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  - Drops file in System32 directory
  PID:3316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  PID:3848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  PID:5112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  PID:2212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:5052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
  2⤵
  PID:4244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
  2⤵
  - Drops file in System32 directory
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
  2⤵
  PID:3476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:3448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:4340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
  2⤵
  PID:4844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace.mof
  2⤵
  PID:5020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpeval.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:3668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:4568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:4200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:1376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  - Drops file in System32 directory
  PID:4556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  PID:4120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  - Drops file in System32 directory
  PID:3520
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  - Drops file in System32 directory
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
  2⤵
  PID:4828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
  2⤵
  PID:3772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim.mof
  2⤵
  - Drops file in System32 directory
  PID:4876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
  2⤵
  PID:5052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
  2⤵
  PID:3856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
  2⤵
  PID:3364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
  2⤵
  PID:1500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
  2⤵
  - Drops file in System32 directory
  PID:1168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
  2⤵
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim.mof
  2⤵
  PID:4636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:3708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:4176
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim.mof
  2⤵
  - Drops file in System32 directory
  PID:4860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  - Drops file in System32 directory
  PID:2944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\npivwmi.mof
  2⤵
  PID:1416
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  - Drops file in System32 directory
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
  2⤵
  PID:3728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  - Drops file in System32 directory
  PID:2708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:3140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\partmgr.mof
  2⤵
  PID:3720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
  2⤵
  PID:4516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:2956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  - Drops file in System32 directory
  PID:2968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:3716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:1308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:3452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:4264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerWmiProvider_Uninstall.mof
  2⤵
  PID:4816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:5016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:5040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
  2⤵
  PID:1148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  PID:2560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
  2⤵
  - Drops file in System32 directory
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:3668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
  2⤵
  PID:508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
  2⤵
  PID:4200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  PID:4172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpcore.mof
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpencom.mof
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  - Drops file in System32 directory
  PID:4616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  - Drops file in System32 directory
  PID:2892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refs.mof
  2⤵
  - Drops file in System32 directory
  PID:3672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refsv1.mof
  2⤵
  PID:4180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  - Drops file in System32 directory
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
  2⤵
  - Drops file in System32 directory
  PID:772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  PID:996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:4528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  - Drops file in System32 directory
  PID:2212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedProv.mof
  2⤵
  - Drops file in System32 directory
  PID:2824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  - Drops file in System32 directory
  PID:5084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  - Drops file in System32 directory
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  - Drops file in System32 directory
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:4844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
  2⤵
  - Drops file in System32 directory
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
  2⤵
  - Drops file in System32 directory
  PID:4128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  PID:1148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  - Drops file in System32 directory
  PID:2560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi.mof
  2⤵
  PID:3872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
  2⤵
  PID:1416
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
  2⤵
  PID:1232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  - Drops file in System32 directory
  PID:2864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  PID:4912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:1884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  PID:3672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:4828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  PID:4020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
  2⤵
  PID:1308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:5084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:1572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
  2⤵
  - Drops file in System32 directory
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
  2⤵
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
  2⤵
  PID:5024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:4232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WEMSAL_WmiProvider.mof
  2⤵
  PID:3556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WEMSAL_WmiProvider_uninstall.mof
  2⤵
  PID:3700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:4328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim.mof
  2⤵
  PID:3540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:4288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WgxInstalledGame.mof
  2⤵
  PID:296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:2180
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  PID:3728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:4912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  PID:3520
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:3156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:3868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:5108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:4348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  PID:4216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:4212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:1500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  PID:1080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:4816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  PID:5116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  PID:4452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:5040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:4232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:4884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:5036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:2716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:2944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscenter.mof
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgent.mof
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
  2⤵
  PID:4616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:3776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
  2⤵
  PID:3672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health.mof
  2⤵
  PID:2300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr.mof
  2⤵
  PID:3536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUAProvider.mof
  2⤵
  PID:4528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:4192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
  2⤵
  PID:4876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:2824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:4356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof
  2⤵
  PID:4808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\00195CB61C2A32BDFC7FBC36952E250C.mof
  2⤵
  PID:2568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof
  2⤵
  PID:4632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof
  2⤵
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof
  2⤵
  PID:5116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
  2⤵
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\033B1D9B4216B475E81B22B7067A7D1D.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof
  2⤵
  PID:3480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
  2⤵
  PID:2780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
  2⤵
  PID:2644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
  2⤵
  PID:2716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof
  2⤵
  PID:1756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof
  2⤵
  PID:584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
  2⤵
  PID:3344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
  2⤵
  PID:296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof
  2⤵
  PID:4220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof
  2⤵
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof
  2⤵
  PID:4588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof
  2⤵
  PID:2892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof
  2⤵
  PID:524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof
  2⤵
  PID:5004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\07DEBAF9D5370A67C14542F22A004AAA.mof
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
  2⤵
  PID:4284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof
  2⤵
  PID:5088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof
  2⤵
  PID:5056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof
  2⤵
  PID:4144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof
  2⤵
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
  2⤵
  PID:1532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
  2⤵
  PID:4808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
  2⤵
  PID:2568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof
  2⤵
  PID:4444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B410C5019E5BB240FE3D9209B3CEAF2.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof
  2⤵
  PID:3516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof
  2⤵
  PID:4452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof
  2⤵
  PID:3556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C69CCBA85788C332EEDF80F771C31BA.mof
  2⤵
  PID:3916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof
  2⤵
  PID:5028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
  2⤵
  PID:1436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
  2⤵
  PID:2716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof
  2⤵
  PID:1756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof
  2⤵
  PID:3144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
  2⤵
  PID:4832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
  2⤵
  PID:2976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
  2⤵
  PID:168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
  2⤵
  PID:3672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
  2⤵
  PID:2300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
  2⤵
  PID:4448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof
  2⤵
  PID:4528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1112723BBB11F9E8C6D82115C54D7857.mof
  2⤵
  PID:500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof
  2⤵
  PID:3244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof
  2⤵
  PID:4356
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\13CCBA6336601A2FC7014254742EBD8B.mof
  2⤵
  PID:4244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
  2⤵
  PID:3944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof
  2⤵
  PID:3840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
  2⤵
  PID:4852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
  2⤵
  PID:4128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\179828219D3CF81FF212E021A69DF006.mof
  2⤵
  PID:3380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof
  2⤵
  PID:4296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
  2⤵
  PID:4608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
  2⤵
  PID:4972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
  2⤵
  PID:3324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
  2⤵
  PID:4616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof
  2⤵
  PID:4912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
  2⤵
  PID:1172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
  2⤵
  PID:4848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof
  2⤵
  PID:3536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof
  2⤵
  PID:4132
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
  2⤵
  PID:4020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
  2⤵
  PID:5012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
  2⤵
  PID:3244
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D17F2812D61D6A27510A5356CBCB2C6.mof
  2⤵
  PID:2540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
  2⤵
  PID:68
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D39564B78F00E3F6ED4B4A5662781B2.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D3D7B63AE783F3DBBD4FD9F43301BD1.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
  2⤵
  PID:1080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D8E83D3077F05426D7F5E7C92A52BC2.mof
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
  2⤵
  PID:4636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
  2⤵
  PID:8
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
  2⤵
  PID:4584
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
  2⤵
  PID:1148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1F539B7D89D5675D5FBC71A5A1E7C62D.mof
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1F5D7EA255DEC718E6C93AFC61039C12.mof
  2⤵
  PID:3916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
  2⤵
  PID:4852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
  2⤵
  PID:3872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\210892B3C5033337B5C4FCD68AA35128.mof
  2⤵
  PID:4204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2215A345459824E0504DB85AEBB502CE.mof
  2⤵
  PID:4296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
  2⤵
  PID:3496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
  2⤵
  PID:2980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\23FFA2BEE2CFCB552EEC22762785E6B4.mof
  2⤵
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
  2⤵
  PID:1172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\265FD3983F420D89954E000E4E311FC5.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26E8FD3933B4712ABA50053BBE27630F.mof
  2⤵
  PID:2300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
  2⤵
  PID:4828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\28DFEEAE5E755E081510079AEA4BA2DB.mof
  2⤵
  PID:3848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
  2⤵
  PID:4988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2A2AB14E79261C4C2272F4B50901244C.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2A8F8C0C68BF867A9E2A7AB38260A4F9.mof
  2⤵
  PID:5088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
  2⤵
  PID:4224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
  2⤵
  PID:644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C688638F731D0D535DBB9DA2F979753.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
  2⤵
  PID:4260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D0F883F26EE14287D5262E2FC93E3CE.mof
  2⤵
  PID:4844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D1A849208186237BBED16B3B5D7238E.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DB099F474FFAB578AD726E4F2905FED.mof
  2⤵
  PID:4444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
  2⤵
  PID:2036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
  2⤵
  PID:3876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2EC8433E19B30A13955120CB32A18CFC.mof
  2⤵
  PID:3708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F0CC20947142CB05C49044919898802.mof
  2⤵
  PID:2640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
  2⤵
  PID:3556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2FA567F6FE2F89694B594B3FAC75D6DF.mof
  2⤵
  PID:3916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30A5229E4F736548D2D9FA13F92C9A82.mof
  2⤵
  PID:4904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C22E5728F64CE0E1605A4A77934948.mof
  2⤵
  PID:3872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
  2⤵
  PID:4204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30DFAF0BD5AD387D985719F41E186AD5.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\31998CC82EC1ED985097054B275161ED.mof
  2⤵
  PID:860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32057A09A1167F6F66F16DA67DF1C918.mof
  2⤵
  PID:1884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3209C3555EE020AE8FA1C869C6A591D9.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\320EDC28FFEC3C708AB2DDE6C70FD624.mof
  2⤵
  PID:4280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3281CFB9A42D9486C40C0A4D010D65E6.mof
  2⤵
  PID:3776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33295A3A1D28CAE3DFB6C5167CCAAE6F.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\338BB90D61D579C0DCB5D57D723A51EE.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
  2⤵
  PID:4448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\345C49713BAB91E320E0183986F86818.mof
  2⤵
  PID:4140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
  2⤵
  PID:2212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof
  2⤵
  PID:1668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\34945C148CB28454DF772D7436BAE73A.mof
  2⤵
  PID:4432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
  2⤵
  PID:3856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
  2⤵
  PID:1280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36AC724DE559C5D39EB46462A440D4E5.mof
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
  2⤵
  PID:4212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
  2⤵
  PID:2808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof
  2⤵
  PID:4844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\379E5EC415D0E0A49EFDD4B3564BE048.mof
  2⤵
  PID:3040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
  2⤵
  PID:4116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
  2⤵
  PID:4312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
  2⤵
  PID:804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
  2⤵
  PID:4572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
  2⤵
  PID:5116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
  2⤵
  PID:4672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A75BC18F00746E3EB756A5A8AB71D56.mof
  2⤵
  PID:3916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
  2⤵
  PID:512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
  2⤵
  PID:3540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B60B0417CAF81D69389063C334577F1.mof
  2⤵
  PID:4660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
  2⤵
  PID:2200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BBB431B659936EB58D4574BC05768CD.mof
  2⤵
  PID:1376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C03DD39D967893238742C503189BA92.mof
  2⤵
  PID:3980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C11F3A2BFB9588C467B72E02345362F.mof
  2⤵
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C90AAC6E581F57E99B164C33906BD30.mof
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3CA3E3E8C27409E2288B236F5F414F56.mof
  2⤵
  PID:3728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof
  2⤵
  PID:4596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3DA405CE6ACE7B7A8320D68D317B9729.mof
  2⤵
  PID:4616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3EB36FAFDAE870DF05542C0B4AAAD7EF.mof
  2⤵
  PID:4912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3EE2F37B4639F4307BAF0C707B092F7C.mof
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
  2⤵
  PID:4964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3FFDD473F026FB198DA9FA65EE71383C.mof
  2⤵
  PID:5080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4001CC0C4B56CFDE0493013FC1D9DD0F.mof
  2⤵
  PID:5096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\403B948C3850C376E6FCA88EF3F5CCA8.mof
  2⤵
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\407E61D88570FDFD5EC8891DBF9A3EBC.mof
  2⤵
  PID:2204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
  2⤵
  PID:4988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4136DDD03841D93F3D820441F60BE055.mof
  2⤵
  PID:196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\413CED83449192A10E66EAD24743140E.mof
  2⤵
  PID:4996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\42CB2CBBDCBB0DB751E51FF6B279C524.mof
  2⤵
  PID:4348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\430091E25BA6C7FE2FE5DC31776BEACC.mof
  2⤵
  PID:4704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
  2⤵
  PID:4216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
  2⤵
  PID:1280
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
  2⤵
  PID:1776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435FA4D2CAB38A1853F91A3BE8F89D4E.mof
  2⤵
  PID:4376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4371EC94BF996AF79B062599D10C927E.mof
  2⤵
  PID:1168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43EDE2715871F08D0BEFB4C9DE69E247.mof
  2⤵
  PID:864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\441A12A68AB1A20902A131356BA4CF30.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\44B487D5879BCD6C593C9066936D12AD.mof
  2⤵
  PID:5024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\44C46B87678291B7CFBF7D8A6452D98D.mof
  2⤵
  PID:4444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45277ADB2DA919AFFF18833506353174.mof
  2⤵
  PID:1540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4552656C2901FB1533D6679D49B69929.mof
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4561B54041D5F414CB02373F78461708.mof
  2⤵
  PID:4936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45909B0D5A9FD1FE57C8BD13773D4358.mof
  2⤵
  PID:2120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
  2⤵
  PID:2964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4795058F848A6BA6FE24E0530CE2E2DF.mof
  2⤵
  PID:2800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
  2⤵
  PID:4852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
  2⤵
  PID:3896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\48959878DDCA03B0FA77D806C7C5D743.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\49C04C47AB946E0864486F81F6E251BC.mof
  2⤵
  PID:2712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4B69CC652B5189D5B2136DFDC5369593.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4B95063FF713676A54E7221DF8245C78.mof
  2⤵
  PID:2096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
  2⤵
  PID:4492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE30AA8CC2C4C06B41336B9B3878B1E.mof
  2⤵
  PID:3980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
  2⤵
  PID:3076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4C3FFB127B4E9B67BFACD89178DE3DA3.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4CCFEF2D31696D11C8735BD7C8BE14B9.mof
  2⤵
  PID:4120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
  2⤵
  PID:4588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
  2⤵
  PID:4360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
  2⤵
  PID:4544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E5EE363F62039780D739C7FE128A149.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E8CF66DA5DBCEE8F47DFDDF0B14DEC0.mof
  2⤵
  PID:5072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E941341E008BE47EC9639A14271EBF0.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EA32ABEBFE9B0697C450693940F1673.mof
  2⤵
  PID:5000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EB0E9424AFEF8E5D68D78C36620E253.mof
  2⤵
  PID:4368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4F4AD4093274B7A7FF28CDBD5AB3032C.mof
  2⤵
  PID:3340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4F7C501B863AFCFCE3AE018AC07191F9.mof
  2⤵
  PID:5008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B277BD2B3C116DBC38CC2D1EB7D427.mof
  2⤵
  PID:4996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
  2⤵
  PID:4348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50E7AE0A90085737B8F04CDF9460DBEA.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50FC9EDA1918FBC981D89D0390125308.mof
  2⤵
  PID:2636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
  2⤵
  PID:1400
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
  2⤵
  PID:1500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
  2⤵
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
  2⤵
  PID:1108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5241D310A7F9B793E5E9EC39E65B7B44.mof
  2⤵
  PID:5044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\52DF56A47A08AD380228C64827D24548.mof
  2⤵
  PID:1848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\531218B396F02B35771F8AD1965A574A.mof
  2⤵
  PID:1432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
  2⤵
  PID:4312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\536E5C7121076D413E48A32D54E26EA3.mof
  2⤵
  PID:384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C2FC20B111DA763C20CFDAF7624A26.mof
  2⤵
  PID:804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
  2⤵
  PID:3876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
  2⤵
  PID:1820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
  2⤵
  PID:3700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\55B1D144C8C3666C687E454A80906ECE.mof
  2⤵
  PID:512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\563EAFFF3BF92CE3F60EAEE4EB18BBB3.mof
  2⤵
  PID:3540
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\570CEA2150DFE3FABA503A81C35963D1.mof
  2⤵
  PID:1756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
  2⤵
  PID:2820

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit