4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10/07/2024, 02:30

240710-czl2gstcke 10

20/06/2024, 12:39

20/06/2024, 12:36

20/06/2024, 12:35

20/06/2024, 12:33

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaners/cleaner.bat
Size

3.2MB
MD5

0bef79984a785d284e225d3576239802
SHA1

0a759883c5cd8822f269eca241c4dc8c43d86220
SHA256

33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
SHA512

d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
SSDEEP

49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

Score

10^/10

evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\FEDCF0C5E194376CBD64963452F9A8E1.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\973858E80F1DA2CA957FCCD54F9B65F4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D4E651D50F9B5DE947EA17194DE5719B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0946F7B504CF11D8AC0C50C34575BF57.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\0EB4359F7C410C964ED950874BB9E7C3.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1BB509370478719A04E9FD51BAFC9C0A.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0F718F60C57DAA7F0D86AE75EADAEEC.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\ECCED369BDF461A1B105963C3F3FD5B6.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\C2928ED38478DF99E69563F6607993C8.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7E4466504BEF670F4735843135B2ADFD.mof	Process not Found
File created	C:\Windows\system32\perfh00A.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\DC999686F8B85B326CEDFA199DD07F72.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D5D6BB480217F9DCEC357F57222DEE59.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3EDC3F5A95D3A0FDFE1F87C15DC9636A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\96C4492B2F623E297E04B2F6CF9F7742.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\45F82D7BEBF660E789CBB38E663AD3F8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\933D58AD5EED665C88F25A10903603B4.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\DBC6F0EF775A987FD56E1909BCBEF6E4.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\17FFDF80330024B07853138CB5AFAD9C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\32EDB8E30FABC609FF04D61A0874F112.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\34F74A09DC6EC891A0EF2FDC2C082805.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\57AA61D3785E65A5842120B541E7D9E5.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\F8FBB3675EF3FB69283C9C42186E20E3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\42355E8E232EF8CADD187D531DEC55DD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9635AD802704D06E888CAB79ECF17188.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\86AD2F7FA2D484F977B368469AD09098.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F74C0CFA45BE5D905C3ADF2EC8BF9EA1.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9C140C33046B319785ECCE52FD6717E4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A9F96C1EC64E86A95A624C07320C0B75.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D03C2AE022DEF1F4FA41826F3F82F3F6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\62A9C7ABD6008F339A20C2B2F0521227.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof	Process not Found
File opened for modification	C:\Windows\system32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof	Process not Found
File created	C:\Windows\system32\perfh011.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\A851D3BCFCE697C24E7112D24AFBE9E3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F2706BA4C07E5AB5EEB052D733D5337F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5EEDA94CFDE5199EA1EF430DC0E5860D.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\25ADD83841BB3A63F85B9A5E81B12C91.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof	Process not Found
File created	C:\Windows\system32\PerfStringBackup.TMP	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\D6CC4256426FE295FECE980398C2687C.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof	Process not Found
File created	C:\Windows\system32\wbem\AutoRecover\37134956F76D3C30C9BE0C12571CAF43.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\2CFB5B149FA396D1AEA5F89B1C5A8D81.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1E97A05DE566CF6EEAE29D0634E27392.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A0D47955B735EA7139A36C3B423FCAFE.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof	Process not Found
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\BCC94A7A999D0AA4B4AA0918494633EA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1B4DC6A5DC53D07F3B04E6FE4BEBFE23.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7241013F16C44EDD604A449D2009916E.mof	mofcomp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2568	sc.exe
2584	sc.exe
2628	sc.exe
2340	sc.exe
3012	sc.exe
2836	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Process not Found

Kills process with taskkill 13 IoCs

evasion

pid	Process
2152	taskkill.exe
2852	taskkill.exe
2656	taskkill.exe
1768	taskkill.exe
2468	taskkill.exe
3056	taskkill.exe
2244	taskkill.exe
2820	taskkill.exe
2608	taskkill.exe
2520	taskkill.exe
2848	taskkill.exe
2808	taskkill.exe
2344	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92B9503D-19C3-4181-9F42-57FFC1A4BF37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{484E3ECE-1F81-4591-B9D4-943BA13B609D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4AF3F4A4-06C8-4B79-A523-633CC65CE297}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F55C5B4C-517D-11D1-AB57-00C04FD9159E}\NotInsertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemDateTime.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF2373F5-EFB2-475C-AD58-3102D61967D4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE61E841-65BC-11D0-B6BD-00AA003240C7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F72CC7A-74A0-45B4-909C-14FB8186DD7E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72970BEB-81F8-46D4-B220-D743F4E49C95}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A504CA2-CA90-4731-87BC-6E99CA2019AF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E4EDDE-475A-498A-93D7-D4347F68A8F3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{580ACAF8-FA1C-11D0-AD72-00C04FD8FDFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8EC9CB1-B135-4F10-8B1B-C7188BB0D186}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7C3453E-1F1C-48CD-AFE6-CFF2A937D337}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{734AC5AE-68E1-4FB5-B8DA-1D92F7FC6661}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23B77E99-5C2D-482D-A795-62CA3AE5B673}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C71566F2-561E-11D1-AD87-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemRefresher.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2CBCB87-9C07-4523-A78F-061499C83987}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60E512D4-C47B-11D2-B338-00105A1F4AAF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B5828C-CAB9-11D2-B35C-00105A1F8177}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1860E246-E924-4F73-B2C5-93E0577E3AA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLocator	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemSink	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjIOActgInfoProv.JobObjIOActgInfoProv\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\classes\CLSID\{BE0A9830-2B8B-11D1-A949-0060181EBBAD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1860E246-E924-4F73-B2C5-93E0577E3AA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E9C5B2-F59B-11D2-B362-00105A1F8177}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94F6FF32-37C3-11D2-8840-00104B2AFB46}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD4F53E0-65DC-11D1-AB64-00C04FD9159E}\NotInsertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMICntl.WMISnapin\ = "WMISnapin Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC923725-0FDD-45E1-AE74-EA09182E739B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F099F16-6A6E-4BBC-8BD8-98F3221D58C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1B9E03C-3226-11D2-883E-00104B2AFB46}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

pid	Process
2372	Process not Found
2348	Process not Found
1044	Process not Found
2328	Process not Found
1504	Process not Found
1072	Process not Found
864	Process not Found
2604	Process not Found
2324	Process not Found
2444	Process not Found
2148	Process not Found
1480	Process not Found
1452	Process not Found
1352	Process not Found
2068	Process not Found
2856	Process not Found
1272	Process not Found
2236	Process not Found
2056	Process not Found
1752	Process not Found
1456	Process not Found
2076	Process not Found
1660	Process not Found
2004	Process not Found
2796	Process not Found
1068	Process not Found
2548	Process not Found
2904	Process not Found
1052	Process not Found

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 48 IoCs

pid	Process
780	regsvr32.exe
888	regsvr32.exe
1072	regsvr32.exe
808	regsvr32.exe
1272	regsvr32.exe
1964	regsvr32.exe
976	regsvr32.exe
1948	regsvr32.exe
1452	regsvr32.exe
1032	regsvr32.exe
1348	regsvr32.exe
1932	regsvr32.exe
1924	regsvr32.exe
1308	regsvr32.exe
2788	regsvr32.exe
2760	regsvr32.exe
684	regsvr32.exe
2860	regsvr32.exe
2536	regsvr32.exe
1288	regsvr32.exe
2800	regsvr32.exe
2504	regsvr32.exe
2904	regsvr32.exe
2916	regsvr32.exe
2884	regsvr32.exe
2144	regsvr32.exe
2128	regsvr32.exe
856	regsvr32.exe
1996	regsvr32.exe
2792	regsvr32.exe
2768	regsvr32.exe
2652	regsvr32.exe
1572	regsvr32.exe
1576	regsvr32.exe
1684	regsvr32.exe
1688	regsvr32.exe
2336	regsvr32.exe
2940	regsvr32.exe
2456	regsvr32.exe
2016	regsvr32.exe
2352	regsvr32.exe
2344	regsvr32.exe
1064	regsvr32.exe
2640	regsvr32.exe
2648	regsvr32.exe
2424	regsvr32.exe
2748	regsvr32.exe
2160	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeSecurityPrivilege	2872	mofcomp.exe
Token: SeSecurityPrivilege	2548	mofcomp.exe
Token: SeSecurityPrivilege	3004	mofcomp.exe
Token: SeSecurityPrivilege	1084	mofcomp.exe
Token: SeSecurityPrivilege	760	mofcomp.exe
Token: SeSecurityPrivilege	1264	mofcomp.exe
Token: SeSecurityPrivilege	2072	mofcomp.exe
Token: SeSecurityPrivilege	2008	mofcomp.exe
Token: SeSecurityPrivilege	560	mofcomp.exe
Token: SeSecurityPrivilege	976	mofcomp.exe
Token: SeSecurityPrivilege	1924	mofcomp.exe
Token: SeSecurityPrivilege	2752	mofcomp.exe
Token: SeSecurityPrivilege	1620	mofcomp.exe
Token: SeSecurityPrivilege	1168	mofcomp.exe
Token: SeSecurityPrivilege	2260	mofcomp.exe
Token: SeSecurityPrivilege	1692	mofcomp.exe
Token: SeSecurityPrivilege	1304	mofcomp.exe
Token: SeSecurityPrivilege	944	mofcomp.exe
Token: SeSecurityPrivilege	1088	mofcomp.exe
Token: SeSecurityPrivilege	1396	mofcomp.exe
Token: SeSecurityPrivilege	2948	mofcomp.exe
Token: SeSecurityPrivilege	3064	mofcomp.exe
Token: SeSecurityPrivilege	1320	mofcomp.exe
Token: SeSecurityPrivilege	1628	mofcomp.exe
Token: SeSecurityPrivilege	872	mofcomp.exe
Token: SeSecurityPrivilege	2476	mofcomp.exe
Token: SeSecurityPrivilege	2168	mofcomp.exe
Token: SeSecurityPrivilege	3032	mofcomp.exe
Token: SeSecurityPrivilege	2940	mofcomp.exe
Token: SeSecurityPrivilege	2344	mofcomp.exe
Token: SeSecurityPrivilege	2424	mofcomp.exe
Token: SeSecurityPrivilege	2836	mofcomp.exe
Token: SeSecurityPrivilege	2564	mofcomp.exe
Token: SeSecurityPrivilege	2620	mofcomp.exe
Token: SeSecurityPrivilege	2548	mofcomp.exe
Token: SeSecurityPrivilege	3004	mofcomp.exe
Token: SeSecurityPrivilege	1908	mofcomp.exe
Token: SeSecurityPrivilege	2616	mofcomp.exe
Token: SeSecurityPrivilege	2496	mofcomp.exe
Token: SeSecurityPrivilege	780	mofcomp.exe
Token: SeSecurityPrivilege	1928	mofcomp.exe
Token: SeSecurityPrivilege	1940	mofcomp.exe
Token: SeSecurityPrivilege	2860	mofcomp.exe
Token: SeSecurityPrivilege	2916	mofcomp.exe
Token: SeSecurityPrivilege	2624	mofcomp.exe
Token: SeSecurityPrivilege	1484	mofcomp.exe
Token: SeSecurityPrivilege	1776	mofcomp.exe
Token: SeSecurityPrivilege	1492	mofcomp.exe
Token: SeSecurityPrivilege	668	mofcomp.exe
Token: SeSecurityPrivilege	1220	mofcomp.exe
Token: SeSecurityPrivilege	1384	mofcomp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2464	2484	cmd.exe	31
PID 2484 wrote to memory of 2464	2484	cmd.exe	31
PID 2484 wrote to memory of 2464	2484	cmd.exe	31
PID 2484 wrote to memory of 2468	2484	cmd.exe	32
PID 2484 wrote to memory of 2468	2484	cmd.exe	32
PID 2484 wrote to memory of 2468	2484	cmd.exe	32
PID 2484 wrote to memory of 2344	2484	cmd.exe	34
PID 2484 wrote to memory of 2344	2484	cmd.exe	34
PID 2484 wrote to memory of 2344	2484	cmd.exe	34
PID 2484 wrote to memory of 2520	2484	cmd.exe	35
PID 2484 wrote to memory of 2520	2484	cmd.exe	35
PID 2484 wrote to memory of 2520	2484	cmd.exe	35
PID 2484 wrote to memory of 3056	2484	cmd.exe	36
PID 2484 wrote to memory of 3056	2484	cmd.exe	36
PID 2484 wrote to memory of 3056	2484	cmd.exe	36
PID 2484 wrote to memory of 2244	2484	cmd.exe	37
PID 2484 wrote to memory of 2244	2484	cmd.exe	37
PID 2484 wrote to memory of 2244	2484	cmd.exe	37
PID 2484 wrote to memory of 2152	2484	cmd.exe	38
PID 2484 wrote to memory of 2152	2484	cmd.exe	38
PID 2484 wrote to memory of 2152	2484	cmd.exe	38
PID 2484 wrote to memory of 2848	2484	cmd.exe	39
PID 2484 wrote to memory of 2848	2484	cmd.exe	39
PID 2484 wrote to memory of 2848	2484	cmd.exe	39
PID 2484 wrote to memory of 2820	2484	cmd.exe	40
PID 2484 wrote to memory of 2820	2484	cmd.exe	40
PID 2484 wrote to memory of 2820	2484	cmd.exe	40
PID 2484 wrote to memory of 2852	2484	cmd.exe	41
PID 2484 wrote to memory of 2852	2484	cmd.exe	41
PID 2484 wrote to memory of 2852	2484	cmd.exe	41
PID 2484 wrote to memory of 2808	2484	cmd.exe	42
PID 2484 wrote to memory of 2808	2484	cmd.exe	42
PID 2484 wrote to memory of 2808	2484	cmd.exe	42
PID 2484 wrote to memory of 2656	2484	cmd.exe	43
PID 2484 wrote to memory of 2656	2484	cmd.exe	43
PID 2484 wrote to memory of 2656	2484	cmd.exe	43
PID 2484 wrote to memory of 1768	2484	cmd.exe	44
PID 2484 wrote to memory of 1768	2484	cmd.exe	44
PID 2484 wrote to memory of 1768	2484	cmd.exe	44
PID 2484 wrote to memory of 2608	2484	cmd.exe	45
PID 2484 wrote to memory of 2608	2484	cmd.exe	45
PID 2484 wrote to memory of 2608	2484	cmd.exe	45
PID 2484 wrote to memory of 2568	2484	cmd.exe	46
PID 2484 wrote to memory of 2568	2484	cmd.exe	46
PID 2484 wrote to memory of 2568	2484	cmd.exe	46
PID 2484 wrote to memory of 2584	2484	cmd.exe	47
PID 2484 wrote to memory of 2584	2484	cmd.exe	47
PID 2484 wrote to memory of 2584	2484	cmd.exe	47
PID 2484 wrote to memory of 2628	2484	cmd.exe	48
PID 2484 wrote to memory of 2628	2484	cmd.exe	48
PID 2484 wrote to memory of 2628	2484	cmd.exe	48
PID 2484 wrote to memory of 2340	2484	cmd.exe	49
PID 2484 wrote to memory of 2340	2484	cmd.exe	49
PID 2484 wrote to memory of 2340	2484	cmd.exe	49
PID 2484 wrote to memory of 3012	2484	cmd.exe	50
PID 2484 wrote to memory of 3012	2484	cmd.exe	50
PID 2484 wrote to memory of 3012	2484	cmd.exe	50
PID 2484 wrote to memory of 3008	2484	cmd.exe	51
PID 2484 wrote to memory of 3008	2484	cmd.exe	51
PID 2484 wrote to memory of 3008	2484	cmd.exe	51
PID 3008 wrote to memory of 1760	3008	net.exe	52
PID 3008 wrote to memory of 1760	3008	net.exe	52
PID 3008 wrote to memory of 1760	3008	net.exe	52
PID 2484 wrote to memory of 264	2484	cmd.exe	53

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cleaners\cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2464
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:2628
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  PID:2340
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:3012
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:264
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:780
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:888
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1072
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:808
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1272
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1964
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:976
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1948
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1452
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1032
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1348
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1932
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1924
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1308
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2788
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2760
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:684
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2860
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2536
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1288
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2800
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2504
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2904
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2916
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2144
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2128
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:856
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1996
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2792
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2652
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1572
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1576
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1684
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1688
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2336
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2940
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2456
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2016
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2352
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2344
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1064
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2640
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2648
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2424
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2748
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2160
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:2668
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:2272
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aaclient.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplayapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplaycpl.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplaydriverlib.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\auxiliarydisplayservices.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DevicePairingHandler.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dot3.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DShowRdpFilter.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IPBusEnum.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irda.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irmon.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\l2gpstore.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:1992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:1660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:2156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:2116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:1548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:1600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  - Drops file in System32 directory
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  PID:2684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  PID:2596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NAPCLIENTPROV.MOF
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NAPCLIENTSCHEMA.MOF
  2⤵
  PID:524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nci.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  PID:1360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:2536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkmap.mof
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:2792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  PID:444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  - Drops file in System32 directory
  PID:980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\onex.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-collab.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-crp.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:2156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\partmgr.mof
  2⤵
  PID:2116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pnpsetup.mof
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:1548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  - Drops file in System32 directory
  PID:1600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:2352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  PID:2276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:2544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:2936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:1296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewmdrm.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powerpolicyprovider.mof
  2⤵
  - Drops file in System32 directory
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  PID:296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:1308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  PID:2144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  - Drops file in System32 directory
  PID:1380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpcore.mof
  2⤵
  PID:1776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpencom.mof
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  PID:2228
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  PID:2156
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedSvc.mof
  2⤵
  PID:1688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  - Drops file in System32 directory
  PID:2892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  PID:2668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  PID:2700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:2812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sensorscpl.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:2008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  PID:1964
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  - Drops file in System32 directory
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  - Drops file in System32 directory
  PID:1456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ssdpsrv.mof
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:2444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  - Drops file in System32 directory
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:1776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:2228
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  PID:2816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:2556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:1224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WgxInstalledGame.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:1528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  - Drops file in System32 directory
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  - Drops file in System32 directory
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:1480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:1492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  PID:568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  PID:2172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  - Drops file in System32 directory
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  - Drops file in System32 directory
  PID:2272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  PID:2892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:2564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:2824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpc.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpcsprov.mof
  2⤵
  PID:2936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpcuninst.mof
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:2324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:1272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:1080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:3020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdwcn.mof
  2⤵
  PID:2776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscenter.mof
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscmisetup.mof
  2⤵
  PID:608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WSDApi.mof
  2⤵
  PID:1352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:1700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:1712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wzcdlg.mof
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\033B1D9B4216B475E81B22B7067A7D1D.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
  2⤵
  PID:1512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
  2⤵
  PID:2476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
  2⤵
  PID:688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
  2⤵
  PID:2448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04E8A5FE2DA94218C402D8821D819F56.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
  2⤵
  PID:1852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
  2⤵
  PID:1252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B410C5019E5BB240FE3D9209B3CEAF2.mof
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
  2⤵
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CD51E5093F1D9C8A0097F8E9E827C54.mof
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
  2⤵
  PID:1308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
  2⤵
  PID:1076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
  2⤵
  PID:376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB4359F7C410C964ED950874BB9E7C3.mof
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
  2⤵
  PID:896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
  2⤵
  PID:1016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof
  2⤵
  PID:1740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\179828219D3CF81FF212E021A69DF006.mof
  2⤵
  PID:2168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
  2⤵
  PID:804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
  2⤵
  PID:2672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
  2⤵
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
  2⤵
  PID:2716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
  2⤵
  PID:2608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
  2⤵
  PID:1636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BA88ACB624E02A260404A9D8F7BD8E5.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
  2⤵
  PID:544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
  2⤵
  PID:472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
  2⤵
  PID:2776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
  2⤵
  PID:2144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
  2⤵
  PID:800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
  2⤵
  - Drops file in System32 directory
  PID:1700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
  2⤵
  PID:1788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\265FD3983F420D89954E000E4E311FC5.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26A5A04A346330E389400293E01228AC.mof
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26E8FD3933B4712ABA50053BBE27630F.mof
  2⤵
  PID:1684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
  2⤵
  PID:1580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B08F8B4B5DBD8346D4FF75E51BC8F87.mof
  2⤵
  PID:804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
  2⤵
  PID:2836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
  2⤵
  PID:1296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D0F883F26EE14287D5262E2FC93E3CE.mof
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
  2⤵
  PID:560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
  2⤵
  PID:1068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
  2⤵
  PID:844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
  2⤵
  - Drops file in System32 directory
  PID:2752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32C943873CC624333BD0BF2A77384240.mof
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32F8CD6F6308A815E554A273D4FA33D6.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
  2⤵
  PID:2792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\345C49713BAB91E320E0183986F86818.mof
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\34945C148CB28454DF772D7436BAE73A.mof
  2⤵
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
  2⤵
  PID:2376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
  2⤵
  PID:2388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
  2⤵
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38C42C417C6ED79CEA712C91CA6F6077.mof
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
  2⤵
  PID:2620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
  2⤵
  PID:1636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
  2⤵
  PID:2188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
  2⤵
  PID:2800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3DB5281FDDFC239D9EF8C0B9F568CC0A.mof
  2⤵
  PID:2624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
  2⤵
  PID:1072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3FA3650B664BC96A8672EC85A7AE4225.mof
  2⤵
  PID:2752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
  2⤵
  PID:2792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
  2⤵
  PID:1352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\451233ED13E097000776690B79D8D753.mof
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45909B0D5A9FD1FE57C8BD13773D4358.mof
  2⤵
  PID:1700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
  2⤵
  PID:1992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
  2⤵
  PID:2312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
  2⤵
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
  2⤵
  PID:2320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
  2⤵
  - Drops file in System32 directory
  PID:740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
  2⤵
  - Drops file in System32 directory
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
  2⤵
  PID:2264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
  2⤵
  PID:1588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
  2⤵
  - Drops file in System32 directory
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
  2⤵
  PID:2332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\542DC56D520FDDEDA279A0D2F398203D.mof
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
  2⤵
  PID:1752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
  2⤵
  PID:2188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
  2⤵
  PID:2800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
  2⤵
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
  2⤵
  PID:2900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\58F2015134CCB0F7652C9320D9357B79.mof
  2⤵
  PID:2752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof
  2⤵
  PID:2792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof
  2⤵
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof
  2⤵
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof
  2⤵
  PID:2228
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\618DAF27B2DD9C7384C9866B3C604A9F.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof
  2⤵
  - Drops file in System32 directory
  PID:1320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof
  2⤵
  PID:2392
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof
  2⤵
  PID:2192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof
  2⤵
  PID:628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof
  2⤵
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof
  2⤵
  PID:2612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6792FDA793556851BD20EA3DD8BD4F6B.mof
  2⤵
  - Drops file in System32 directory
  PID:2620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof
  2⤵
  PID:1224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof
  2⤵
  - Drops file in System32 directory
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof
  2⤵
  PID:1752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof
  2⤵
  PID:2188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof
  2⤵
  - Drops file in System32 directory
  PID:2800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof
  2⤵
  PID:2444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof
  2⤵
  PID:1308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof
  2⤵
  PID:1076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof
  2⤵
  PID:1136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof
  2⤵
  PID:608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof
  2⤵
  PID:944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof
  2⤵
  PID:2676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof
  2⤵
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof
  2⤵
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof
  2⤵
  PID:1688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof
  2⤵
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\779E080B33F322115205BB50F1E0B8D1.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\784F84C1F101285B20E218ED2D09CD89.mof
  2⤵
  PID:2668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof
  2⤵
  - Drops file in System32 directory
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C45C8B7490D3AD44A961494C7FBFAFD.mof
  2⤵
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7CEC0B7114C0F4A2F6AABCEF53246585.mof
  2⤵
  PID:524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof
  2⤵
  PID:2008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof
  2⤵
  PID:1032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E4466504BEF670F4735843135B2ADFD.mof
  2⤵
  PID:2904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FFB3426D0E8BA66422FAE4DC6D7FC1C.mof
  2⤵
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof
  2⤵
  PID:376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof
  2⤵
  PID:1040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof
  2⤵
  PID:1324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8349431AF468BA55DBFB84FC50CC17C5.mof
  2⤵
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof
  2⤵
  PID:2440
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof
  2⤵
  PID:1668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof
  2⤵
  - Drops file in System32 directory
  PID:2232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof
  2⤵
  PID:876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof
  2⤵
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof
  2⤵
  PID:2432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof
  2⤵
  PID:604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof
  2⤵
  PID:620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof
  2⤵
  PID:740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof
  2⤵
  PID:1588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof
  2⤵
  PID:2628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof
  2⤵
  PID:2148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof
  2⤵
  PID:664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof
  2⤵
  PID:1844
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof
  2⤵
  PID:1272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof
  2⤵
  PID:1752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof
  2⤵
  PID:1812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof
  2⤵
  - Drops file in System32 directory
  PID:2056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof
  2⤵
  PID:1776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof
  2⤵
  PID:1968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B69BCC6C9FE867D2A3B64ECABB53826.mof
  2⤵
  PID:944
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof
  2⤵
  - Drops file in System32 directory
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof
  2⤵
  PID:1132
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof
  2⤵
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C44AA8B16C47059241530441BCD6DD9.mof
  2⤵
  PID:1624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof
  2⤵
  PID:1864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9FC7214EDE76F8AE24F96A8195852557.mof
  2⤵
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof
  2⤵
  PID:1688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof
  2⤵
  PID:3032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof
  2⤵
  PID:2684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof
  2⤵
  PID:2616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof
  2⤵
  PID:2936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof
  2⤵
  PID:1252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof
  2⤵
  PID:2072
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof
  2⤵
  PID:1032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof
  2⤵
  PID:472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof
  2⤵
  PID:2624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof
  2⤵
  PID:864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof
  2⤵
  PID:828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof
  2⤵
  PID:904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD5C5848CD0E22DA01A18D5C186CF995.mof
  2⤵
  PID:1080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof
  2⤵
  PID:1788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof
  2⤵
  - Drops file in System32 directory
  PID:588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof
  2⤵
  PID:1188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof
  2⤵
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B54261EAEEB4A0D8DB966E20CBEF7E52.mof
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B6752671A157884075FCC12BEDFB4D69.mof
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B67D454E426E9AEB60ED08DCC946B44B.mof
  2⤵
  PID:1396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B6AF1E27DD1C8095A2887A3BECBB76EF.mof
  2⤵
  PID:2868
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B7133C48CF1507759D1561876C9BA27B.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B789D76E1E0DE4569B56F6FE22E05621.mof
  2⤵
  PID:1352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B8870014FB74FB540F3C31EA907A2AE7.mof
  2⤵
  PID:2596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B983243B1B5F59CFF73648C21D5FB88F.mof
  2⤵
  PID:2612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BA42233C2B9592211C49858860047F3F.mof
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BB9039F6B76054E97E7EFE906C52DE12.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD557D61619F268BDCEA21C2BDB91514.mof
  2⤵
  - Drops file in System32 directory
  PID:324
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD818313E410FD46A9F63786A32AEE23.mof
  2⤵
  - Drops file in System32 directory
  PID:1528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\BD880669B37B14C73AF9195DB3A20F28.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C03089ABF5861ADFD1F7C923D2F9A153.mof
  2⤵
  PID:1760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C09DD3CA03ADBEEE3ABD0ADF668D9848.mof
  2⤵
  PID:808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1A0E85153900845F7BA78472B952007.mof
  2⤵
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1A41FBCA25E3E6CC4CD22064882728F.mof
  2⤵
  PID:2128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1D36889746E38D1BC7C314F51AC80E6.mof
  2⤵
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C1FA58EA827D44CFBEE4F63536677F65.mof
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C25A6E589BBE06A55DB5B350B80152B1.mof
  2⤵
  PID:1076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C2928ED38478DF99E69563F6607993C8.mof
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C3F80855FDF5A3E423EBABF12EB64064.mof
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C40B30214E633F7974F2729FAE1BC67D.mof
  2⤵
  PID:752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C5E5CB06F45AEA0FE31FFD0A0F94194E.mof
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C67614C3E48ABD4BC9E709E2CEB2CE53.mof
  2⤵
  - Drops file in System32 directory
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C685465F4F6FC210421DA7E9DD550821.mof
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C8306578B5F0D111675384D271B4DAE3.mof
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C890A36E670146004F5FA6D96F4C069C.mof
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\C98344F72C7B0FA5F30F1BF6877B4E25.mof
  2⤵
  PID:1724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CA1BF3536958E01F710E5995DE6EBE31.mof
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CAC0434A24FA3D5F69B4858EAA050C64.mof
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CB7DDAE3224D5AB1AA07F9B5AAD1A027.mof
  2⤵
  PID:1548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CCFBB6F691A0FA96C5B605CD9D80173B.mof
  2⤵
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CD5C98B31AB8AA0599193696AF7D0DB1.mof
  2⤵
  PID:1688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CD658FA16F96D4466BFE68FCE874D955.mof
  2⤵
  PID:3032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CDC6E4754252FF7D0E8F3C134D265A60.mof
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CDDB319981A500F42CBEC98CD2362007.mof
  2⤵
  PID:2684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE096445AF8F836B82205BD4E80E5A94.mof
  2⤵
  PID:2608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE11FD1C1FB6481A93541E3B9ACD4CA7.mof
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CE7FA5E0DC28E4C7BB0A2AA22DE05392.mof
  2⤵
  - Drops file in System32 directory
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CF59E7AD297D53172AE9792A2C26A022.mof
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\CF881EBD6F50B8BAA9BD57DC3DAC5CB2.mof
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D04911ACFCA47446EFCB01393D3C3F8B.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D1C240EDA191362672EF6FCCB9725F85.mof
  2⤵
  PID:2064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D2412702F385FCB9E6709FB33EB27BDF.mof
  2⤵
  PID:2604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D256B700C202A9389F73688CDED83B7E.mof
  2⤵
  PID:1792
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof
  2⤵
  PID:2800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D44C788DD143A6A25912E1AA4230EBBA.mof
  2⤵
  PID:1380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D45422347AA81775B83DBC3898BAD5DE.mof
  2⤵
  PID:444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D4D422DBE282F1B12C3A82517EB0D59D.mof
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D566F9B651B60AE7D0B5DEBF57A90E35.mof
  2⤵
  PID:828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D69C7ED8E3B896ACD98229CB4DC363B6.mof
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D6E15C5FE0484F1B1192CEC9DD7DCE6A.mof
  2⤵
  PID:2948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D7E06DA4457A14F49A9A996F22881130.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D8A32838B23AD6809B3B7858DA93D26B.mof
  2⤵
  PID:2024
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\D8D1C602836BEF743D38740FCA8D4B8B.mof
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA27AF57C09E80A784709AD6239EA23B.mof
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA54B44152345FC1E1817702B2A34D5D.mof
  2⤵
  PID:876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DA5B702F94B3636728C005C0E5C0A6BE.mof
  2⤵
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DAC96F2A49E2484740F118A3CDF28EA3.mof
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DB54C5562A50379EFADA86F9B3861ABC.mof
  2⤵
  PID:2468
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DB81A681168E125300B192421B05FF69.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DBC6F0EF775A987FD56E1909BCBEF6E4.mof
  2⤵
  PID:2448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DBDD03C26C22DA3E23ABAA15A6B39B54.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DC89E71970FFC22FA221C8A45308C5D4.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DCEF332D84C4031C782F4C93C596D4D1.mof
  2⤵
  PID:2836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DD603E8A562856C2EC1C09212F23ADB3.mof
  2⤵
  PID:2520
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DE44225AB6232B6BBD0C9B6E8C537DF1.mof
  2⤵
  PID:2828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DE523FD5DB5ABAE94C68AF7114CBD760.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\DED5474ADC85A48A01D7B3559075F80F.mof
  2⤵
  PID:2396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E069A2E2BAA0539B3A6D0C2A427CC7C9.mof
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E22148F95450D8DD65C6F01F3F70D0C6.mof
  2⤵
  PID:1528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E2FA811D54787AF194F2ED7963AC8C26.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E32F72CD17027215C1CA0F8CDBFC424A.mof
  2⤵
  PID:1932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E3D1F0237C90408BD496AD5ABA1F83D8.mof
  2⤵
  - Drops file in System32 directory
  PID:808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E41B36A469B90C2F71E1E8F75B1ED2A0.mof
  2⤵
  PID:404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E47D9E1373E74D680A96741EA31C401B.mof
  2⤵
  PID:3020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E4D93E2CD3A40184A9C679C11EDC25C0.mof
  2⤵
  PID:1620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E524F67A774C12EBBA2AC0F57BF33938.mof
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E5D068F2F245DA1441228DED41D871BF.mof
  2⤵
  PID:2776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E5D6C9A65DA9AE649E8317A75C06E198.mof
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E6086DA9044149F6A624985412B8BAA6.mof
  2⤵
  PID:1508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof
  2⤵
  - Drops file in System32 directory
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E65B695F08B9EEF897D110161AAF326E.mof
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E74A466875015A38C572AC1A3B4F774E.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E860DDD7490FFB35C48288CE8E7C8D65.mof
  2⤵
  PID:2388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E88C6850DE2F0CC0517AAF71EFF7E4AE.mof
  2⤵
  PID:2140
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\E96F8F23D7A801D8504391B5E2E3A3F0.mof
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\EC7D2FD0AD8EE062168F3E58D1A3CDA4.mof
  2⤵
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECCEC78ACEEAA571E4485A1A3E96A4C2.mof
  2⤵
  PID:2116
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECCED369BDF461A1B105963C3F3FD5B6.mof
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ECDFB9E4F5941EF63DFB007D02610E24.mof
  2⤵
  PID:1864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\EEC4F93CD036A6E45D6FD265129F85C5.mof
  2⤵
  PID:2344
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F1FAE81BF48CB59E19A1A345EFABE714.mof
  2⤵
  PID:2192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F5228D745C8184B4A57254494455ECB0.mof
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F543E05A4357CEE05B9488DA6C07067D.mof
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F5BEE99426566AD5FD433DAB46B991C2.mof
  2⤵
  PID:1588
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F644552872028BB5127A6F0E7B587070.mof
  2⤵
  PID:1852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F85C3F4EB8E282B5D15E9FA90012AB45.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F8CD42F0BD43C7051B83889D59706392.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F8FBB3675EF3FB69283C9C42186E20E3.mof
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\F95F57395D6E4F99310D09374BF5AA36.mof
  2⤵
  PID:1528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FA2C628102913B4350472BA9C99FDD3B.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FA30638CAB7DC067E5FDDBB4BAAF9549.mof
  2⤵
  PID:1264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FB78554F9623FFCFAF8517D1382A1AE6.mof
  2⤵
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FE6ED8E301AAC0F2572E50BB9B42368D.mof
  2⤵
  - Drops file in System32 directory
  PID:832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FE7DD380036BD93A59C38786492E170F.mof
  2⤵
  PID:2444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\FF2A2387AFA336F6A8BAE68F63DAF457.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\aaclient.mfl
  2⤵
  PID:1492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\auxiliarydisplaycpl.mfl
  2⤵
  PID:904
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cimdmtf.mfl
  2⤵
  PID:2776
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cimwin32.mfl
  2⤵
  PID:1808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cli.mfl
  2⤵
  PID:1508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\cliegaliases.mfl
  2⤵
  - Drops file in System32 directory
  PID:1112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\dsprov.mfl
  2⤵
  PID:2968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\filetrace.mfl
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\hbaapi.mfl
  2⤵
  PID:2164
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\interop.mfl
  2⤵
  PID:2464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\irmon.mfl
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\iscsidsc.mfl
  2⤵
  PID:1572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\iscsiprf.mfl
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\krnlprov.mfl
  2⤵
  PID:3044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\l2gpstore.mfl
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:2424
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\msi.mfl
  2⤵
  PID:1864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\mstsc.mfl
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\mstscax.mfl
  2⤵
  PID:2700
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ncprov.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ntevt.mfl
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\OfflineFilesWmiProvider.mfl
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-collab.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-mesh.mfl
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\p2p-pnrp.mfl
  2⤵
  PID:560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\PolicMan.mfl
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polproc.mfl
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polprocl.mfl
  2⤵
  PID:1272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\polprou.mfl
  2⤵
  PID:1456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\powermeterprovider.mfl
  2⤵
  PID:808
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\powerpolicyprovider.mfl
  2⤵
  PID:288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\profileassociationprovider.mfl
  2⤵
  PID:2820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\RacWmiProv.mfl
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpcore.mfl
  2⤵
  PID:1912
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpencom.mfl
  2⤵
  PID:2552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpinit.mfl
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rdpshell.mfl
  2⤵
  PID:752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\regevent.mfl
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\rsop.mfl
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ScrCons.mfl
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\secrcw32.mfl
  2⤵
  PID:1016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sensorscpl.mfl
  2⤵
  PID:2864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ServiceModel.mfl
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\ServiceModel35.mfl
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\smtpcons.mfl
  2⤵
  PID:680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sppwmi.mfl
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\sr.mfl
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\subscrpt.mfl
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\system.mfl
  2⤵
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\tsallow.mfl
  2⤵
  PID:2264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\tscfgwmi.mfl
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\UserProfileWmiProvider.mfl
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\vds.mfl
  2⤵
  PID:2608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\vss.mfl
  2⤵
  PID:2680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WbemCons.mfl
  2⤵
  PID:2688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wcncsvc.mfl
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wfs.mfl
  2⤵
  PID:1252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WgxInstalledGame.mfl
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\whqlprov.mfl
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\win32_printer.mfl
  2⤵
  PID:1360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wininit.mfl
  2⤵
  PID:1168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\winlogon.mfl
  2⤵
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmi.mfl
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipcima.mfl
  2⤵
  PID:1484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipdfs.mfl
  2⤵
  PID:2504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipdskq.mfl
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipicmp.mfl
  2⤵
  PID:376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipiprt.mfl
  2⤵
  PID:1136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipjobj.mfl
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmipsess.mfl
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmitimep.mfl
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wmpnetwk.mfl
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\wscenter.mfl
  2⤵
  PID:1780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\WUDFx.mfl
  2⤵
  PID:2000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\de-DE\xwizards.mfl
  2⤵
  PID:1668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\aaclient.mfl
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\auxiliarydisplaycpl.mfl
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimdmtf.mfl
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cimwin32.mfl
  2⤵
  PID:2856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cli.mfl
  2⤵
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\cliegaliases.mfl
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\dsprov.mfl
  2⤵
  PID:1064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\filetrace.mfl
  2⤵
  PID:2264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\hbaapi.mfl
  2⤵
  PID:2152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\interop.mfl
  2⤵
  PID:2684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\irmon.mfl
  2⤵
  PID:2572
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsidsc.mfl
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\iscsiprf.mfl
  2⤵
  PID:1444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\krnlprov.mfl
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\l2gpstore.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeeds.mfl
  2⤵
  PID:1452
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msfeedsbs.mfl
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\msi.mfl
  2⤵
  PID:2992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstsc.mfl
  2⤵
  PID:1264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\mstscax.mfl
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ncprov.mfl
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ntevt.mfl
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider.mfl
  2⤵
  - Drops file in System32 directory
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:1716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-collab.mfl
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-mesh.mfl
  2⤵
  PID:1136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\p2p-pnrp.mfl
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\PolicMan.mfl
  2⤵
  PID:2804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polproc.mfl
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprocl.mfl
  2⤵
  PID:1112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\polprou.mfl
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powermeterprovider.mfl
  2⤵
  PID:1780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\powerpolicyprovider.mfl
  2⤵
  PID:2000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\profileassociationprovider.mfl
  2⤵
  PID:2704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\RacWmiProv.mfl
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpcore.mfl
  2⤵
  PID:2296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpencom.mfl
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpinit.mfl
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rdpshell.mfl
  2⤵
  PID:2924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\regevent.mfl
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\rsop.mfl
  2⤵
  - Drops file in System32 directory
  PID:2636
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\ScrCons.mfl
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\secrcw32.mfl
  2⤵
  PID:2620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sensorscpl.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\smtpcons.mfl
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sppwmi.mfl
  2⤵
  PID:2656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\sr.mfl
  2⤵
  PID:2936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\subscrpt.mfl
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\system.mfl
  2⤵
  PID:544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tsallow.mfl
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\tscfgwmi.mfl
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\UserProfileWmiProvider.mfl
  2⤵
  PID:2236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vds.mfl
  2⤵
  PID:2348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\vss.mfl
  2⤵
  - Drops file in System32 directory
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WbemCons.mfl
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wcncsvc.mfl
  2⤵
  PID:1544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wfs.mfl
  2⤵
  PID:1380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WgxInstalledGame.mfl
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\whqlprov.mfl
  2⤵
  PID:1812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\win32_printer.mfl
  2⤵
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wininit.mfl
  2⤵
  PID:580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\winlogon.mfl
  2⤵
  PID:1508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmi.mfl
  2⤵
  PID:972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipcima.mfl
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdfs.mfl
  2⤵
  PID:1088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipdskq.mfl
  2⤵
  PID:1016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipicmp.mfl
  2⤵
  - Drops file in System32 directory
  PID:1676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipiprt.mfl
  2⤵
  PID:2676
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipjobj.mfl
  2⤵
  PID:2756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmipsess.mfl
  2⤵
  PID:936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmitimep.mfl
  2⤵
  PID:2748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wmpnetwk.mfl
  2⤵
  PID:1688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\wscenter.mfl
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\WUDFx.mfl
  2⤵
  PID:1580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\en-US\xwizards.mfl
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\aaclient.mfl
  2⤵
  - Drops file in System32 directory
  PID:2612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\auxiliarydisplaycpl.mfl
  2⤵
  PID:1084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cimdmtf.mfl
  2⤵
  PID:2548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cimwin32.mfl
  2⤵
  PID:3012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cli.mfl
  2⤵
  PID:1412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\cliegaliases.mfl
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\dsprov.mfl
  2⤵
  PID:532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\filetrace.mfl
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\hbaapi.mfl
  2⤵
  PID:1032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\interop.mfl
  2⤵
  PID:1908
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\irmon.mfl
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\iscsidsc.mfl
  2⤵
  - Drops file in System32 directory
  PID:2940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\iscsiprf.mfl
  2⤵
  - Drops file in System32 directory
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\krnlprov.mfl
  2⤵
  PID:1948
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\l2gpstore.mfl
  2⤵
  PID:1372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:692
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\msi.mfl
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\mstsc.mfl
  2⤵
  PID:1136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\mstscax.mfl
  2⤵
  PID:1788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ncprov.mfl
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ntevt.mfl
  2⤵
  PID:1732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\OfflineFilesWmiProvider.mfl
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-collab.mfl
  2⤵
  PID:2932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-mesh.mfl
  2⤵
  PID:2388
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\p2p-pnrp.mfl
  2⤵
  PID:1512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\PolicMan.mfl
  2⤵
  PID:1804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polproc.mfl
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polprocl.mfl
  2⤵
  PID:2428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\polprou.mfl
  2⤵
  PID:916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\powermeterprovider.mfl
  2⤵
  - Drops file in System32 directory
  PID:872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\powerpolicyprovider.mfl
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\profileassociationprovider.mfl
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\RacWmiProv.mfl
  2⤵
  PID:2212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpcore.mfl
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpencom.mfl
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpinit.mfl
  2⤵
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rdpshell.mfl
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\regevent.mfl
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\rsop.mfl
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ScrCons.mfl
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\secrcw32.mfl
  2⤵
  PID:1252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sensorscpl.mfl
  2⤵
  PID:1480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ServiceModel.mfl
  2⤵
  - Drops file in System32 directory
  PID:2332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\ServiceModel35.mfl
  2⤵
  PID:1456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\smtpcons.mfl
  2⤵
  PID:3020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sppwmi.mfl
  2⤵
  PID:2760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\sr.mfl
  2⤵
  PID:956
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\subscrpt.mfl
  2⤵
  PID:2512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\system.mfl
  2⤵
  PID:976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\tsallow.mfl
  2⤵
  PID:2884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\tscfgwmi.mfl
  2⤵
  PID:376
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\UserProfileWmiProvider.mfl
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\vds.mfl
  2⤵
  PID:2308
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\vss.mfl
  2⤵
  PID:1672
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WbemCons.mfl
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wcncsvc.mfl
  2⤵
  PID:1248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wfs.mfl
  2⤵
  PID:2768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WgxInstalledGame.mfl
  2⤵
  - Drops file in System32 directory
  PID:2736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\whqlprov.mfl
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\win32_printer.mfl
  2⤵
  PID:2000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wininit.mfl
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\winlogon.mfl
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:1132
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipcima.mfl
  2⤵
  PID:828
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipdfs.mfl
  2⤵
  - Drops file in System32 directory
  PID:1976
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipdskq.mfl
  2⤵
  PID:2160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipicmp.mfl
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipiprt.mfl
  2⤵
  PID:1852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipjobj.mfl
  2⤵
  PID:668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmipsess.mfl
  2⤵
  - Drops file in System32 directory
  PID:2656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmitimep.mfl
  2⤵
  PID:2936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wmpnetwk.mfl
  2⤵
  PID:2772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\wscenter.mfl
  2⤵
  PID:560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\WUDFx.mfl
  2⤵
  PID:2068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\es-ES\xwizards.mfl
  2⤵
  PID:1360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\aaclient.mfl
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\auxiliarydisplaycpl.mfl
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cimdmtf.mfl
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cimwin32.mfl
  2⤵
  PID:2056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cli.mfl
  2⤵
  PID:2036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\cliegaliases.mfl
  2⤵
  PID:1380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\dsprov.mfl
  2⤵
  PID:2144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\filetrace.mfl
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\hbaapi.mfl
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\interop.mfl
  2⤵
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\irmon.mfl
  2⤵
  PID:2032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\iscsidsc.mfl
  2⤵
  PID:1788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\iscsiprf.mfl
  2⤵
  PID:2728
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\krnlprov.mfl
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\l2gpstore.mfl
  2⤵
  PID:768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:1016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\msi.mfl
  2⤵
  PID:3064
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\mstsc.mfl
  2⤵
  PID:2640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\mstscax.mfl
  2⤵
  PID:2432
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ncprov.mfl
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ntevt.mfl
  2⤵
  PID:2876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\OfflineFilesWmiProvider.mfl
  2⤵
  PID:740
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-collab.mfl
  2⤵
  PID:1696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-mesh.mfl
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\p2p-pnrp.mfl
  2⤵
  PID:2648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\PolicMan.mfl
  2⤵
  PID:2152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polproc.mfl
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polprocl.mfl
  2⤵
  PID:2824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\polprou.mfl
  2⤵
  PID:2380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\powermeterprovider.mfl
  2⤵
  PID:1660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\powerpolicyprovider.mfl
  2⤵
  PID:2076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\profileassociationprovider.mfl
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\RacWmiProv.mfl
  2⤵
  PID:532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpcore.mfl
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpencom.mfl
  2⤵
  PID:1032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpinit.mfl
  2⤵
  PID:1916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rdpshell.mfl
  2⤵
  PID:288
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\regevent.mfl
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\rsop.mfl
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ScrCons.mfl
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\secrcw32.mfl
  2⤵
  PID:896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sensorscpl.mfl
  2⤵
  PID:1968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ServiceModel.mfl
  2⤵
  PID:2196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\ServiceModel35.mfl
  2⤵
  PID:1720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\smtpcons.mfl
  2⤵
  PID:1736
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sppwmi.mfl
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\sr.mfl
  2⤵
  PID:1188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\subscrpt.mfl
  2⤵
  - Drops file in System32 directory
  PID:3052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\system.mfl
  2⤵
  PID:2864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\tsallow.mfl
  2⤵
  PID:1780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\tscfgwmi.mfl
  2⤵
  PID:1708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\UserProfileWmiProvider.mfl
  2⤵
  PID:2000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\vds.mfl
  2⤵
  PID:3028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\vss.mfl
  2⤵
  PID:2576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WbemCons.mfl
  2⤵
  PID:2876
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wcncsvc.mfl
  2⤵
  PID:1576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wfs.mfl
  2⤵
  PID:2404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WgxInstalledGame.mfl
  2⤵
  PID:1768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\whqlprov.mfl
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\win32_printer.mfl
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wininit.mfl
  2⤵
  PID:628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\winlogon.mfl
  2⤵
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmi.mfl
  2⤵
  - Drops file in System32 directory
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipcima.mfl
  2⤵
  PID:1660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipdfs.mfl
  2⤵
  PID:664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipdskq.mfl
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipicmp.mfl
  2⤵
  PID:524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipiprt.mfl
  2⤵
  PID:2060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipjobj.mfl
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmipsess.mfl
  2⤵
  PID:2364
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmitimep.mfl
  2⤵
  PID:444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wmpnetwk.mfl
  2⤵
  PID:980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\wscenter.mfl
  2⤵
  PID:1040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\WUDFx.mfl
  2⤵
  PID:1596
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fr-FR\xwizards.mfl
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\aaclient.mfl
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\auxiliarydisplaycpl.mfl
  2⤵
  PID:1524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cimdmtf.mfl
  2⤵
  PID:2400
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cimwin32.mfl
  2⤵
  PID:1508
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cli.mfl
  2⤵
  PID:972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\cliegaliases.mfl
  2⤵
  PID:1172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\dsprov.mfl
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\filetrace.mfl
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\hbaapi.mfl
  2⤵
  PID:1512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\interop.mfl
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\irmon.mfl
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\iscsidsc.mfl
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\iscsiprf.mfl
  2⤵
  PID:1132
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\krnlprov.mfl
  2⤵
  - Drops file in System32 directory
  PID:1548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\l2gpstore.mfl
  2⤵
  PID:1684
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\Microsoft-Windows-OfflineFiles.mfl
  2⤵
  PID:2892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\msi.mfl
  2⤵
  PID:1860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\mstsc.mfl
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\mstscax.mfl
  2⤵
  PID:1232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ncprov.mfl
  2⤵
  PID:2008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ntevt.mfl
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\OfflineFilesWmiProvider.mfl
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\OfflineFilesWmiProvider_Uninstall.mfl
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-collab.mfl
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-mesh.mfl
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\p2p-pnrp.mfl
  2⤵
  PID:472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\PolicMan.mfl
  2⤵
  PID:1940
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polproc.mfl
  2⤵
  PID:2988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polprocl.mfl
  2⤵
  PID:2516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\polprou.mfl
  2⤵
  PID:1980
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\powermeterprovider.mfl
  2⤵
  PID:1784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\powerpolicyprovider.mfl
  2⤵
  PID:2744
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\profileassociationprovider.mfl
  2⤵
  PID:2788
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\RacWmiProv.mfl
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpcore.mfl
  2⤵
  PID:1716
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpencom.mfl
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpinit.mfl
  2⤵
  PID:1384
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rdpshell.mfl
  2⤵
  PID:1608
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\regevent.mfl
  2⤵
  PID:1616
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\rsop.mfl
  2⤵
  PID:1668
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ScrCons.mfl
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\secrcw32.mfl
  2⤵
  - Drops file in System32 directory
  PID:1172
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sensorscpl.mfl
  2⤵
  PID:2224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ServiceModel.mfl
  2⤵
  PID:2652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\ServiceModel35.mfl
  2⤵
  PID:1512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\smtpcons.mfl
  2⤵
  PID:2696
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sppwmi.mfl
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\sr.mfl
  2⤵
  PID:1772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\subscrpt.mfl
  2⤵
  PID:1132
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\system.mfl
  2⤵
  PID:1548
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\tsallow.mfl
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\tscfgwmi.mfl
  2⤵
  PID:2520
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\UserProfileWmiProvider.mfl
  2⤵
  PID:2532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\vds.mfl
  2⤵
  PID:628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\vss.mfl
  2⤵
  PID:1128
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\WbemCons.mfl
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\wcncsvc.mfl
  2⤵
  PID:1664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\wfs.mfl
  2⤵
  PID:1824
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\WgxInstalledGame.mfl
  2⤵
  PID:2764
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\it-IT\whqlprov.mfl
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
04cfbb517f86f737a4cffd80310728ea

SHA1
f607e5e02dcd2b5c93a320b9b04f6b2fa9d8f904

SHA256
5baf0b3f557d94f7eb2c70dce6a9bcc5fd1dfb0bf21050ba7e50fa508ffe4680

SHA512
89bb6a23118a67f67854515c707d8202f031c89d932d1c99cddaa6edc901852ddd36f2a6c312feaae5a14f5285945bdddf40283f0745324492c97828714a059a

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
205ea85aa61f7cb93dd45ed733aad1b4

SHA1
39ee534f562b86d0a4a2dda8ff378c7ca34bb480

SHA256
6904a7e830b195a9db9f6f73f4d77fdd9d4de009d07b2e3739a844b328830482

SHA512
ea7285658288bc862cd3624cc9208b91708a93a4c20532bb7b74aef54f64bbb10765bea00abf21cc2a0290135eb3d38672ad69c9c4267e04cec9ffa616392319

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
6952af69761655c7f54fa038321f7e57

SHA1
91717e2b9dba46d6742c38550a2bedb0c75a1952

SHA256
d747b499573afbd3b9918e720a486c3bf40126caf84e60cbb3548a7d7977252e

SHA512
14e66bec7287b9ff3cfbdb26c45f391f7a65ec86f3a9efb0d36800e787056c19fe2df9985fc989f0a96f472aa4567d03649ef880207a65723250bfebf77eaa7b

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
8f0a5ade4bc955fc90ca025345b779fe

SHA1
248f1b20858a8a84bcf8a40a5ef0782e49f0c3fd

SHA256
0a5029c7ac243bce9d1ee331a88367d291a555ac1789c2c306428c8f5567a686

SHA512
df4893353aaf3f66867ba21617c168be33bf20f8e32ca12d5c3466b207249d711c0440073d79e5fe69a419d46d712b5907fad10d70336392222c450b62e552c1

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
eeeae10bd8cfba7c451e0766c32a30bf

SHA1
580d7e70f244c1214dd758c30e2aa78d31d877a8

SHA256
f83a19872ddaad6d76d2b2fb48bcd57e6ae2f112a30a31372f4e565734246514

SHA512
9d763cac4cee368aef9793bd1a83fc01bbc76d6d8a48077e026c9e037fff6ed729f9e62a7f6e6610ecbb64d0f3330f405eca8d0ad058450f3166f5161f51d1d6

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
1d926bd664fd45bc465bf1a06de35677

SHA1
b2cb97d06020236f56ebe83a2ecec8a73f906f89

SHA256
b109e93167c6b73d70ba00708c3f99e755e95250c6ef8d9079990340fc413f35

SHA512
7108ac28fb303ec873c8df6941b0af3c743e7f7af5c561e0340456f79d9f3a2a958150dcc03fc93ff14642bad265fb842e37d4aaa8ed5e27789de7f74ca13e22

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
6c046ba82df3783ba28fab7934a2bb8a

SHA1
e74fe3dc0e6e90c3011da23059967ae506117d77

SHA256
24c9b50b751602d17637e5ffa342f9c4ddc6c8ad12402af8050e540aeffad06b

SHA512
387962657a4a83a0cef0b846aaf253fcd18fb33263411cf39118b9de8fafe5a43003667a508c86ed11f6eb4e23a8c66715cd4712815709ae081cd47ff2bd5d15

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
715KB

MD5
26d511837f258f9be66f93facb9d8996

SHA1
a56c0105eb5b974c89a1c6310f1e687de7d93a77

SHA256
227964570f5ed7c11922dcb348f83c09b6747a334601319bf5a0432c10567555

SHA512
1f9c333acd523c677a54af414d5f4e9af871cd7173316819287e6ef7f0101c2f3ae78e44fd53f0f4bfe5a18c00dee725dc7534f7d9ccaf88f3215f0eaf59417e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
715KB

MD5
f0844e3de771b9db4473aadc7083dcb0

SHA1
152c2a0eda54f7614610659e34c428c1a8e484e9

SHA256
49a38617ac3d189e7045f52af786a3589c8aeeff199d12fb21d7e1e3d73b5e3c

SHA512
65c11eb4d858c8488011023efc605f5a5d7ae8f54ac0f938604e4292ec10d43b5be0d29c04e8f797534ba30216aa2a4355465a7f560c143ebc34767c5b5eb363

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
710KB

MD5
872605134c98dd5287e46cd57fce2b64

SHA1
d531a5254f96720d7457a24afa9b473ea3b7ece7

SHA256
303a12529946f63830beaadd0b747d1de63263fd55a5571baa6e4d079f148794

SHA512
42397c8b8a96ae5b19cecaf6e1dc9bb9851a3e0a362696fe115e4eb060e9ef2a6af5993bf75f60af8335174fa39c3abd112ca2d054bc135423bfbbf12e8d717a

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
b0c81f960949f2caa2673c5df761bdcd

SHA1
1f5183a25ceac718cb75b90da124c7f3bb8e5b13

SHA256
8f6ef6dd0abbdf8c83379b1e8c66fd5012077d28d9a620d440c77534ce5efc53

SHA512
6c685900c0339ebed90764fa052d1a4e59dc332c0a524ce6f36f92bf918bb9dcdcd38ddf2ed51f3e8baa89f824649086ec55df231504f9f51ed1f095160769ab

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads