hxxps://cdn[.]discordapp[.]com/attachments/1274005039500759164/1274797090962276454/Fang3_cleaner[.]zip?ex=66c7834f&is=66c631cf&hm=1b46941147922895ab4de0dfd98edf591acd7e2c9e3a6b8166260bb633cf0540&

Analysis

max time kernel
138s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1274005039500759164/1274797090962276454/Fang3_cleaner.zip?ex=66c7834f&is=66c631cf&hm=1b46941147922895ab4de0dfd98edf591acd7e2c9e3a6b8166260bb633cf0540&

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\3EDC3F5A95D3A0FDFE1F87C15DC9636A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\62916368B186604385D957B0A8CEC3F3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\548638A140FDBCA52E8EA08E0EFDE1CA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E791B721675D56F9DD66E426FB56DEB8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\6454B8C701D344F88ED112DA2BD0A87F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A9325A7FC13EE1821F6BC28637472FC3.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\973858E80F1DA2CA957FCCD54F9B65F4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\F7506F510340060282B31D6A7750C929.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7C739D476FDEFBAC928B9AD5CEE4A6B7.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\948C4E38F6DA5FBC241D94FA908444EE.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3C1D52E3151E3EAAE870572A3B6A6D24.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0772EA28C9AD9F026AA9F29EE684B717.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\41F8BE5948DB160CB7A918100D72915C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DDB9F6CC9628611D4F4539B9CAACA5AE.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\35BB8CAA7877397A4B61EC9571EB8D58.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\76FC6ECE6E69615238BD782572B6AE9A.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C2AF4D273114D73F0660A9DD206078D2.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C81ACF420917AA0F87487BC4D958BEB4.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7890220FCECCCA3482167AFF473F2493.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\3D2CC55A34636D12FF72BF3CBAE13CD9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\06066348BFF8CEEA4301097591D6A0B8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1F5E3A0B57C1898883DE224FCB91EF0F.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\178965049DAE0FAAF44B19FC13A8C147.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\847605D736F712AA25257842E4A53844.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File created	C:\Windows\system32\wbem\AutoRecover\15CB6E2BC4C7288B6A26F06F2EA3EBAA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\33412234A69EE073A4BC9B5E2F9FA59B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8ADAAF15D4A282094E411FC0BE72DF3C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E503F571937BDCF23D3CF5B5CBB47A28.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\02B45F8F62E60609D8557ECDF39A3708.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\91395D1059F5308358AE60AB47264983.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\E88A6591060F99D8714E871B324FA2EE.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9E7E2108FC801DEB5855A410A211B4F8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DB3146B20DA7C2E4A0823DDFDC608499.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD833C24E5E8DBB218C56DFA0A761E78.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A2CBDFB661F34B80B1B31CE1200C83B6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\AD1621C948A4E41C8ABE8FC09AC11633.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EDBF963FB003D0670AA9C2219BD091FB.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\12233E25C50AF3A2E910EC7C056C6EDB.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A6F38503266B1254723F72E5AFF53E72.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\0D83E339623BE6A214AD19AF5EF50600.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\906EDF714019C6BE9D25B11AD848349C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\72E1322BF10D95160DE8B544BA2300CC.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	regsvr32.exe
File created	C:\Windows\system32\perfh009.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\AE5296CF914D052676DE90DA9DC88ADC.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C2E802292DC93400E19D1C12F90D0AF6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\00A4968F0A5D2E494C19A7B59E025F4E.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\04536482B8AF0C12F942D5B9D8D01CDB.mof	mofcomp.exe
File created	C:\Windows\system32\perfc00A.dat	regsvr32.exe
File created	C:\Windows\system32\wbem\AutoRecover\DC4C25A20FCAE65EF26A5804239C94A9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\8A0347D028103ED07C233AAA65F9C49B.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\A0ED3B17D1242DB3FA0772C624B340AF.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\7291B3778FC5B202D807DDCFC6FF3AD5.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\9AF10F83B065FC41909808E762FD7897.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\50F8D9F4ABAFA5A52D4449671DFB1067.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\34D15B6208077592D0110AEA712E11E8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\1294DF9252D50CEAB212BF12AB8BCED8.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\23A426DC9B9903E0050FD856481522BA.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\C1FD00FCFB1BDBFF564BD8E3F061E757.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\37F7300422C6371BDE2DA0516A8B4DB6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\331C814C70D55824BA26E0394B9871B9.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof	mofcomp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	regsvr32.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	regsvr32.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1384	sc.exe
512	sc.exe
2112	sc.exe
2016	sc.exe
2472	sc.exe
2852	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
512	sc.exe
2112	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
2908	taskkill.exe
2280	taskkill.exe
4804	taskkill.exe
4632	taskkill.exe
3004	taskkill.exe
2412	taskkill.exe
3704	taskkill.exe
3420	taskkill.exe
1196	taskkill.exe
4308	taskkill.exe
420	taskkill.exe
196	taskkill.exe
1920	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687705443207834"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE0080A-7E3A-4366-BF89-0FEEDC931659}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemObjectPath\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLastError.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFABA8C-1523-11D1-AD79-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C19BE34-7500-11D1-AD94-00C04FD8FDFF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{523A581F-EC58-40CE-99D3-36BF7897F3EC}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23B77E99-5C2D-482D-A795-62CA3AE5B673}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B322B6E-A9DF-44E3-97BF-259E3583FDA4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemLastError	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6c19be35-7500-11d1-ad94-00c04fd8fdff}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}\AccessPermission = 010004804800000054000000000000001400000002003400020000000100180001000000010200000000000520000000210200000000140001000000010100000000000512000000010100000000000512000000010100000000000512000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv\CurVer\ = "JobObjLimitInfoProv.JobObjLimitInfoProv.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NCProv.NCProvider.1\ = "NCProvider Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjIOActgInfoProv.JobObjIOActgInfoProv\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4819C8D-9AB8-4B2F-B8AE-C77DABF553D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1B55910-8BA0-47A5-A16E-2B733B1D987C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB40A5C1-804B-40BD-9DFE-A640691C6956}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1\ = "Win32_JobObjectSecLimitInfo Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F598975-37E0-4A67-A992-116680F0CEDA}\NotInsertable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{484E3ECE-1F81-4591-B9D4-943BA13B609D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\\{B0A2AB46-F612-4469-BEC4-7AB038BC476C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C19BE35-7500-11D1-AD94-00C04FD8FDFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6963B029-B969-40AA-9180-2B2F84075973}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7E9D3B9-E62B-4A90-8CC5-A3C5F662DA7B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41AA40E6-2FBA-4E80-ADE9-34306567206D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\CLSID\{C49E32C6-BC8B-11D2-85D4-00105A1F8304}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1B9E04A-3226-11D2-883E-00104B2AFB46}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266C72E5-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854D745C-6742-42C0-8BB9-01EC466B6E87}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DB9FA90-9973-46CF-B310-9865B644699D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JobObjLimitInfoProv.JobObjLimitInfoProv.1\ = "Win32_JobObjectLimitInfo Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7A3A54B-0250-11D3-9CD1-00105A1F4801}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72967901-68EC-11D0-B729-00AA0062CBB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11CAA957-4E80-474E-A819-7FD72148ADA9}	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	196	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe
Token: SeCreatePagefilePrivilege	1104	chrome.exe
Token: SeShutdownPrivilege	1104	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe
1104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2464	1104	chrome.exe	73
PID 1104 wrote to memory of 2464	1104	chrome.exe	73
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 1756	1104	chrome.exe	75
PID 1104 wrote to memory of 3372	1104	chrome.exe	76
PID 1104 wrote to memory of 3372	1104	chrome.exe	76
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77
PID 1104 wrote to memory of 4548	1104	chrome.exe	77

Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1274005039500759164/1274797090962276454/Fang3_cleaner.zip?ex=66c7834f&is=66c631cf&hm=1b46941147922895ab4de0dfd98edf591acd7e2c9e3a6b8166260bb633cf0540&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa49a9758,0x7ffaa49a9768,0x7ffaa49a9778
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:8
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4556 --field-trial-handle=1848,i,8680365713574273544,5797469663046561227,131072 /prefetch:2
  2⤵
  PID:2796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Fang3-cleaner.bat"
1⤵
PID:2644
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:1312
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:420
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:1384
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:512
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:2016
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2112
- C:\Windows\system32\sc.exe
  sc config winmgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:2472
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:4232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *.dll
  2⤵
  PID:4772
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s appbackgroundtask.dll
  2⤵
  PID:2240
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s cimwin32.dll
  2⤵
  PID:3716
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv.dll
  2⤵
  PID:220
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s DMWmiBridgeProv1.dll
  2⤵
  PID:1208
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientcim.dll
  2⤵
  PID:828
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dnsclientpsprovider.dll
  2⤵
  PID:1836
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Dscpspluginwkr.dll
  2⤵
  PID:2476
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s dsprov.dll
  2⤵
  - Modifies registry class
  PID:1632
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EmbeddedLockdownWmi.dll
  2⤵
  PID:1996
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s esscli.dll
  2⤵
  - Modifies registry class
  PID:1644
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s EventTracingManagement.dll
  2⤵
  PID:1568
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s fastprox.dll
  2⤵
  - Modifies registry class
  PID:200
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprr.dll
  2⤵
  PID:4856
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ipmiprv.dll
  2⤵
  PID:4884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s KrnlProv.dll
  2⤵
  PID:2052
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMAppProv.dll
  2⤵
  PID:2056
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MDMSettingsProv.dll
  2⤵
  PID:4800
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.AppV.AppVClientWmi.dll
  2⤵
  PID:1312
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Microsoft.Uev.AgentWmi.dll
  2⤵
  - Modifies registry class
  PID:816
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s MMFUtil.dll
  2⤵
  PID:4148
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofd.dll
  2⤵
  - Modifies registry class
  PID:2908
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s mofinstall.dll
  2⤵
  PID:4620
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msdtcwmi.dll
  2⤵
  PID:4308
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s msiprov.dll
  2⤵
  PID:1660
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NCProv.dll
  2⤵
  - Modifies registry class
  PID:2752
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ndisimplatcim.dll
  2⤵
  PID:2748
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetAdapterCim.dll
  2⤵
  PID:2336
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netdacim.dll
  2⤵
  PID:3312
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetEventPacketCapture.dll
  2⤵
  PID:4768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netnccim.dll
  2⤵
  PID:2412
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetPeerDistCim.dll
  2⤵
  PID:4604
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netswitchteamcim.dll
  2⤵
  PID:1904
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s NetTCPIP.dll
  2⤵
  PID:4100
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s netttcim.dll
  2⤵
  PID:1216
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s nlmcim.dll
  2⤵
  PID:4804
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ntevt.dll
  2⤵
  PID:4160
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PolicMan.dll
  2⤵
  PID:4812
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s PrintManagementProvider.dll
  2⤵
  PID:4184
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s qoswmi.dll
  2⤵
  PID:1256
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s RacWmiProv.dll
  2⤵
  PID:5028
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s repdrvfs.dll
  2⤵
  PID:2112
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s schedprov.dll
  2⤵
  PID:3536
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s ServDeps.dll
  2⤵
  - Modifies registry class
  PID:396
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s SMTPCons.dll
  2⤵
  - Modifies registry class
  PID:2832
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s stdprov.dll
  2⤵
  - Modifies registry class
  PID:1276
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vdswmi.dll
  2⤵
  PID:4820
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s viewprov.dll
  2⤵
  PID:2880
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vpnclientpsprovider.dll
  2⤵
  PID:1348
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s vsswmi.dll
  2⤵
  PID:2724
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcntl.dll
  2⤵
  PID:992
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcons.dll
  2⤵
  - Modifies registry class
  PID:5048
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemcore.dll
  2⤵
  - Modifies registry class
  PID:2340
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemdisp.dll
  2⤵
  - Modifies registry class
  PID:4772
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemess.dll
  2⤵
  PID:2240
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemprox.dll
  2⤵
  PID:216
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wbemsvc.dll
  2⤵
  - Modifies registry class
  PID:2436
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WdacWmiProv.dll
  2⤵
  PID:3212
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WEMSAL_WmiProvider.dll
  2⤵
  PID:3208
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wfascim.dll
  2⤵
  PID:3892
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_EncryptableVolume.dll
  2⤵
  PID:4248
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s Win32_Tpm.dll
  2⤵
  PID:312
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WinMgmtR.dll
  2⤵
  PID:4480
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRes.dll
  2⤵
  PID:2108
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiApRpl.dll
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1640
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMICOOKR.dll
  2⤵
  - Modifies registry class
  PID:3312
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiDcPrv.dll
  2⤵
  PID:4376
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipcima.dll
  2⤵
  PID:4768
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdfs.dll
  2⤵
  PID:2372
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmipdskq.dll
  2⤵
  PID:4604
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfClass.dll
  2⤵
  PID:4100
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPerfInst.dll
  2⤵
  PID:4664
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPICMP.dll
  2⤵
  PID:604
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPIPRT.dll
  2⤵
  - Modifies registry class
  PID:1428
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPJOBJ.dll
  2⤵
  - Modifies registry class
  PID:3444
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiprov.dll
  2⤵
  PID:64
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WmiPrvSD.dll
  2⤵
  - Modifies registry class
  PID:3560
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIPSESS.dll
  2⤵
  PID:884
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WMIsvc.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies registry class
  PID:3812
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmitimep.dll
  2⤵
  - Modifies registry class
  PID:4040
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s wmiutils.dll
  2⤵
  - Modifies registry class
  PID:4292
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s WUAProvider.dll
  2⤵
  PID:2784
- C:\Windows\System32\wbem\WmiPrvSE.exe
  wmiprvse /regserver
  2⤵
  PID:4748
- C:\Windows\System32\wbem\WinMgmt.exe
  winmgmt /regserver
  2⤵
  PID:1308
- C:\Windows\system32\sc.exe
  sc config winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\system32\net.exe
  net start winmgmt
  2⤵
  PID:4924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b *.mof *.mfl
  2⤵
  PID:3068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\aeinv.mof
  2⤵
  PID:992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmi.mof
  2⤵
  PID:2476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AgentWmiUninstall.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask.mof
  2⤵
  PID:352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\appbackgroundtask_uninstall.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AuditRsop.mof
  2⤵
  - Drops file in System32 directory
  PID:4080
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\authfwcfg.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\bcd.mof
  2⤵
  PID:2336
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\BthMtpEnum.mof
  2⤵
  PID:3312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimdmtf.mof
  2⤵
  PID:1316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cimwin32.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\CIWmi.mof
  2⤵
  PID:3444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\classlog.mof
  2⤵
  PID:884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cli.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\cliegaliases.mof
  2⤵
  PID:4820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ddp.mof
  2⤵
  - Drops file in System32 directory
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsjob.mof
  2⤵
  PID:360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dimsroam.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1.mof
  2⤵
  PID:5100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv1_Uninstall.mof
  2⤵
  PID:368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DMWmiBridgeProv_Uninstall.mof
  2⤵
  PID:4224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientcim.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider.mof
  2⤵
  PID:1660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dnsclientpsprovider_Uninstall.mof
  2⤵
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\drvinst.mof
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCore.mof
  2⤵
  - Drops file in System32 directory
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscCoreConfProv.mof
  2⤵
  PID:724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dscproxy.mof
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\DscTimer.mof
  2⤵
  PID:4464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\dsprov.mof
  2⤵
  - Drops file in System32 directory
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\eaimeapi.mof
  2⤵
  PID:3272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\embeddedlockdownwmi_Uninstall.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\EventTracingManagement.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdPHost.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdrespub.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdSSDP.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWNet.mof
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fdWSD.mof
  2⤵
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\filetrace.mof
  2⤵
  PID:368
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\firewallapi.mof
  2⤵
  PID:4224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FolderRedirectionWMIProvider.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\FunDisc.mof
  2⤵
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\fwcfg.mof
  2⤵
  PID:4632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hbaapi.mof
  2⤵
  PID:2316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\hnetcfg.mof
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-Base.mof
  2⤵
  PID:4184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IMAPIv2-LegacyShim.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\interop.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiDTrc.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipmiprv.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\IpmiPTrc.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ipsecsvc.mof
  2⤵
  PID:992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irda.mof
  2⤵
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\irmon.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsidsc.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsihba.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiprf.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsirem.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2.mof
  2⤵
  PID:4708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\iscsiwmiv2_uninstall.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\kerberos.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\krnlprov.mof
  2⤵
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\L2SecHC.mof
  2⤵
  PID:4500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdio.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lltdsvc.mof
  2⤵
  PID:604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\lsasrv.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mblctr.mof
  2⤵
  PID:3380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMAppProv_Uninstall.mof
  2⤵
  PID:4296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MDMSettingsProv_Uninstall.mof
  2⤵
  PID:4820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-OfflineFiles.mof
  2⤵
  PID:3068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft-Windows-Remote-FileSystem.mof
  2⤵
  PID:4236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.mof
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmi.mof
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall.mof
  2⤵
  PID:2484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mispace_uninstall.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mmc.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mountmgr.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpeval.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpsdrv.mof
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mpssvc.mof
  2⤵
  PID:3560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsDtcWmi.mof
  2⤵
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeeds.mof
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msfeedsbs.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msi.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msiscsi.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\MsNetImPlatform.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstsc.mof
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mstscax.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\msv1_0.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\mswmdm.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncprov.mof
  2⤵
  - Drops file in System32 directory
  PID:992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ncsi.mof
  2⤵
  PID:312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ndistrace.mof
  2⤵
  - Drops file in System32 directory
  PID:3660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim.mof
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTrace.mof
  2⤵
  PID:2928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCimTraceUninstall.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetAdapterCim_uninstall.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netdacim_uninstall.mof
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetEventPacketCapture_uninstall.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netnccim_uninstall.mof
  2⤵
  PID:3536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetPeerDistCim_uninstall.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netprofm.mof
  2⤵
  PID:600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetSwitchTeam.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP.mof
  2⤵
  PID:4896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\NetTCPIP_Uninstall.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\netttcim_uninstall.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\networkitemfactory.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\newdev.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlasvc.mof
  2⤵
  PID:312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlmcim_uninstall.mof
  2⤵
  PID:4800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nlsvc.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\npivwmi.mof
  2⤵
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\nshipsec.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntevt.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ntfs.mof
  2⤵
  PID:1660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider.mof
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider_Uninstall.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\OfflineFilesWmiProvider_Uninstall.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-mesh.mof
  2⤵
  PID:4464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\p2p-pnrp.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\partmgr.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice.mof
  2⤵
  PID:1144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\pcsvDevice_Uninstall.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PNPXAssoc.mof
  2⤵
  PID:4276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PolicMan.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polproc.mof
  2⤵
  PID:4820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprocl.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polprou.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\polstore.mof
  2⤵
  PID:500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceapi.mof
  2⤵
  PID:3660
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceclassextension.mof
  2⤵
  PID:4304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledeviceconnectapi.mof
  2⤵
  PID:3300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicetypes.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\portabledevicewiacompat.mof
  2⤵
  PID:4372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\powermeterprovider.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerWmiProvider.mof
  2⤵
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PowerWmiProvider_Uninstall.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopCompSchema.mof
  2⤵
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ppcRsopUserSchema.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintFilterPipelineSvc.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PrintManagementProvider.mof
  2⤵
  PID:4204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\profileassociationprovider.mof
  2⤵
  PID:604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\PS_MMAgent.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qmgr.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi.mof
  2⤵
  PID:3380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc.mof
  2⤵
  PID:4264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmitrc_uninstall.mof
  2⤵
  PID:640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\qoswmi_uninstall.mof
  2⤵
  PID:2500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\RacWmiProv.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpcore.mof
  2⤵
  PID:4236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpencom.mof
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpendp.mof
  2⤵
  - Drops file in System32 directory
  PID:4528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpinit.mof
  2⤵
  PID:4884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rdpshell.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refs.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\refsv1.mof
  2⤵
  PID:3096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\regevent.mof
  2⤵
  PID:4372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rsop.mof
  2⤵
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\rspndr.mof
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\samsrv.mof
  2⤵
  PID:3576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scersop.mof
  2⤵
  PID:4772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\schannel.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SchedProv.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scm.mof
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\scrcons.mof
  2⤵
  PID:4780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sdbus.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\secrcw32.mof
  2⤵
  PID:4232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SensorsClassExtension.mof
  2⤵
  PID:4468
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\ServiceModel35.mof
  2⤵
  PID:304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\services.mof
  2⤵
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\setupapi.mof
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\SmbWitnessWmiv2Provider.mof
  2⤵
  PID:5092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smbwmiv2.mof
  2⤵
  PID:4628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\smtpcons.mof
  2⤵
  PID:4304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sppwmi.mof
  2⤵
  - Drops file in System32 directory
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sr.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\sstpsvc.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru.mof
  2⤵
  - Drops file in System32 directory
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof
  2⤵
  PID:3688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\storagewmi_uninstall.mof
  2⤵
  PID:3812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\stortrace.mof
  2⤵
  PID:4040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\subscrpt.mof
  2⤵
  PID:3624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\system.mof
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tcpip.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsallow.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tscfgwmi.mof
  2⤵
  PID:4032
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tsmf.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\tspkg.mof
  2⤵
  PID:2500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umb.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umbus.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpass.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\umpnpmgr.mof
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileConfigurationWmiProvider.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserProfileWmiProvider.mof
  2⤵
  - Drops file in System32 directory
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\UserStateWMIProvider.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vds.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider.mof
  2⤵
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vpnclientpsprovider_Uninstall.mof
  2⤵
  PID:516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\vss.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WBEMCons.mof
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wcncsvc.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacEtwProv.mof
  2⤵
  PID:3444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv.mof
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof
  2⤵
  PID:396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000.mof
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wdf01000Uninstall.mof
  2⤵
  PID:316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wdigest.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WEMSAL_WmiProvider.mof
  2⤵
  PID:4612
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WEMSAL_WmiProvider_uninstall.mof
  2⤵
  PID:4276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFAPIGP.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim.mof
  2⤵
  PID:3860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfascim_uninstall.mof
  2⤵
  PID:2120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WFP.MOF
  2⤵
  PID:200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wfs.mof
  2⤵
  PID:3552
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WgxInstalledGame.mof
  2⤵
  PID:1036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\whqlprov.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_DeviceGuard.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_encryptablevolume.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_EncryptableVolumeUninstall.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\win32_printer.mof
  2⤵
  - Drops file in System32 directory
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Win32_Tpm.mof
  2⤵
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wininit.mof
  2⤵
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winipsec.mof
  2⤵
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\winlogon.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Winsat.mof
  2⤵
  PID:3444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WinsatUninstall.mof
  2⤵
  PID:4184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wlan.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WLanHC.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmi.mof
  2⤵
  PID:3380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipcima.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdfs.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipdskq.mof
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfClass.mof
  2⤵
  PID:992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WmiPerfInst.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipicmp.mof
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipiprt.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipjobj.mof
  2⤵
  PID:1952
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmipsess.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmitimep.mof
  2⤵
  - Drops file in System32 directory
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WMI_Tracing.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmp.mof
  2⤵
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wmpnetwk.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdbusenum.mof
  2⤵
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdcomp.mof
  2⤵
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdfs.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdmtp.mof
  2⤵
  PID:3444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdshext.mof
  2⤵
  PID:4184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WPDShServiceObj.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpdsp.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wpd_ci.mof
  2⤵
  PID:3000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wscenter.mof
  2⤵
  PID:4756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgent.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAgentUninstall.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WsmAuto.mof
  2⤵
  PID:3860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs.mof
  2⤵
  PID:1312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_fs_uninstall.mof
  2⤵
  PID:992
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health.mof
  2⤵
  PID:888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_health_uninstall.mof
  2⤵
  PID:1516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr.mof
  2⤵
  PID:4300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\wsp_sr_uninstall.mof
  2⤵
  PID:688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUAProvider.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFx.mof
  2⤵
  PID:2084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000.mof
  2⤵
  PID:1984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\Wudfx02000Uninstall.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\WUDFxUninstall.mof
  2⤵
  PID:1428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\xwizards.mof
  2⤵
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\000CA9FCCEA7C766DFE3B6493B9A908F.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\00195CB61C2A32BDFC7FBC36952E250C.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\016A4FDC29C2CD1C06090D04CC752B4D.mof
  2⤵
  PID:2016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01B65BA66800FEA5CE7F4892966D7559.mof
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01D083B8F092E9FEF6D9C55A64A75334.mof
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\01EA423F27498C64D3F6C297AE2BD8F2.mof
  2⤵
  PID:2104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\020FD1D34279A20EBB3742D63B9E359A.mof
  2⤵
  - Drops file in System32 directory
  PID:3212
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0232BC928C9666E5DB91EC0848F13E18.mof
  2⤵
  PID:3892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0309255AB46E3D6CAE2056340225DDA9.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\033B1D9B4216B475E81B22B7067A7D1D.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0357610A8F431F78C35A3F00FF8E7E13.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\038145628EF306DCD8FD7686C52BD131.mof
  2⤵
  PID:3268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\03E20F6C54427A7C0DDEE97EC0898FAB.mof
  2⤵
  - Drops file in System32 directory
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\042E30CED0EE9B02641D0960BD5D6854.mof
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0471EE6D56711CCAFEBCF01C57F9159A.mof
  2⤵
  PID:3428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04920A1D7F20A747256FB48CA8A0147B.mof
  2⤵
  PID:4800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04B1FC5EA475F43F0CF8815E33B5913C.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\04D5961EC17DF68D8407B772F9C7DF98.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\050F60C5DEC201482BC14E317519A6F6.mof
  2⤵
  PID:168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\057069C8BCE64220B28DD683690F6879.mof
  2⤵
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0583E7E08D1877A324A2553D19A795EA.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\069B498336DCA76D929AAAF5631ED0A5.mof
  2⤵
  PID:4320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06A22D2701E90D7DDCF8AAC0522F2449.mof
  2⤵
  PID:4040
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DAE99BF3D429EE4946D4BF8BFF8C96.mof
  2⤵
  PID:4680
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\06DEE93B2013BBE13958B3FA0D45AEB5.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof
  2⤵
  PID:600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\07DEBAF9D5370A67C14542F22A004AAA.mof
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\086D10A6F37ED2F988C9A8EDEF53B707.mof
  2⤵
  PID:3380
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08BF1AF6E61B8456B1D5B42769C3412C.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08D51E934D3BA7EB8F60B6E90B6F1511.mof
  2⤵
  PID:4900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\08F894CB142235B53617974B1893CC74.mof
  2⤵
  PID:3860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09329A919E0B1FEB9E13BE1D4E8C71B0.mof
  2⤵
  PID:352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0955A3255BE8F939592AA33CBFED6637.mof
  2⤵
  PID:5100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\095DDA6145E278EC67897251831FDD47.mof
  2⤵
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\097C63F5D2B8C4182BEB625A8287192D.mof
  2⤵
  PID:5092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\09A251213F70FF824ABB31AACEEAC17F.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A2DA7EA3492D7ECD2C313A8B7490FC1.mof
  2⤵
  PID:4856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A49A422B8A92BD87756E892C1BAEC38.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A76D835FEE42A0F9B07455539850A30.mof
  2⤵
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0A7CF62821E141ADACC0C287DDD01839.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B21EB6E1A9BA82714E2C9FCB1DD6E8A.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B410C5019E5BB240FE3D9209B3CEAF2.mof
  2⤵
  PID:3576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0B7747DAC81B5CDD2893AAE2E4BBE034.mof
  2⤵
  PID:1428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0BE369FFE21F5817AE0847874550D36B.mof
  2⤵
  PID:5028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C0B602529B4AB335EE2B6BDD125ADB2.mof
  2⤵
  PID:3536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C69CCBA85788C332EEDF80F771C31BA.mof
  2⤵
  PID:3404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0C840E79E220554456F582031714D456.mof
  2⤵
  - Drops file in System32 directory
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CB6D8EA6179D949B588A4D328F2A1D5.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CBD6BDA858114EC196F6B41C2CFD3BF.mof
  2⤵
  PID:4276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0CCAA8293392639FBA830DD578DB2C02.mof
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0D169F54EB7176F6BF264A5F8562C98B.mof
  2⤵
  PID:640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DA95863FE4B25CC2D43F0020902CB31.mof
  2⤵
  PID:304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DAE6401EA75135DC71C2BF2727AE47F.mof
  2⤵
  PID:312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0DC0A697FFCC592B72AABF89E4FD9156.mof
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0E68BDAB79C00E0C496F8772703BB3AB.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EA772F1A1EDFC2AEE10CC4E22899FA7.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EACEE5F78D8DC364E3C886DBB50601B.mof
  2⤵
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EB7B5521B8E9A713CA5D4DE1135B365.mof
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBA1F7B891BD5FE808E91F1D5467AFE.mof
  2⤵
  PID:3428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0EBDDF573C99959D239BF0ADB48A18B5.mof
  2⤵
  PID:4800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof
  2⤵
  PID:2084
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\100C683F4F92BE5F31DCF9E5E8F8A127.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\105E698CE1AE9FA053B763F2C80120D6.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10D697E74C7A4CC694967A7BA1861EE7.mof
  2⤵
  PID:4772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\10EDE1FE24EBC1EBE598FDE3A051CB83.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1112723BBB11F9E8C6D82115C54D7857.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\11992DCCFDD62BD40E85DA67BD91FF88.mof
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1228A6BDE4139369DF7DB4975C62A50A.mof
  2⤵
  - Drops file in System32 directory
  PID:4468
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\128E25AF26A5FD60EC8421A35FE38114.mof
  2⤵
  PID:1144
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1364A1ACC2D182FC0E95C7573ADD0308.mof
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\13BC960D220197BCBCC7F1658C34102D.mof
  2⤵
  PID:4756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\13CCBA6336601A2FC7014254742EBD8B.mof
  2⤵
  PID:4236
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\153FCFE945068754B72A6FC011B37613.mof
  2⤵
  PID:4900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\160386BCC54C67562570A808003698B2.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1641F982282E8CA70B0D93F1F2BB145B.mof
  2⤵
  PID:3512
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1671EBB4B246E464FCB7369EAB2831EF.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16C850723D6D606824E3600992F717AC.mof
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\16E269CB069C7242FB610AB48045318B.mof
  2⤵
  PID:4300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\170119984F3AA426567DD71E8458DCA1.mof
  2⤵
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\172412DF1F8338E4AD006E9F9788ED2A.mof
  2⤵
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\173F0B14BCB5F1B2B2258AFA66FA1F6A.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\179828219D3CF81FF212E021A69DF006.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17BCA321685944580A77D03BECECF588.mof
  2⤵
  - Drops file in System32 directory
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\17CF414FA1DE5CE02A5C9AC66A2D8F5E.mof
  2⤵
  PID:4768
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\180E25D92AFCF71A996BC7AC24F27DD5.mof
  2⤵
  PID:884
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18194DF78686FCBACD0E6868ED0E0919.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1898EDEA64C511B1CB8EF5483101FB35.mof
  2⤵
  - Drops file in System32 directory
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18B9AA34B315DE18655875C087F7E147.mof
  2⤵
  PID:396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\18F122357839ADA1419DDE2C541904BE.mof
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\192325CD712AED7BF56940AD3BB9A176.mof
  2⤵
  PID:4296
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\195AE1B89E0FF6CD40670E98BAB3A608.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\198029E6BF51E6E158ECF68FF0B36E3A.mof
  2⤵
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\19B9819A1C5AE6BC556E1A65834AEC13.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1A62F8CF28E9ED8FBDCEA3D28AC6D3EF.mof
  2⤵
  PID:3892
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1AA085F45F04FFF42F8B23EE4B1DD6D5.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1AEA6E68EBB34016ED94F24ABB9308E5.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B15F9EA2C8E8A55CC1CBE63FB6B4840.mof
  2⤵
  PID:200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B1859A081E5E0E923DE7CA17A3AD0E6.mof
  2⤵
  PID:4928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1B243182F610F39F48F63ED2AAF2E4C6.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1BF02F5F261B4F6E08912C82760B1564.mof
  2⤵
  PID:1448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C57A0A063E5D1FAE814B23DFF99DA42.mof
  2⤵
  PID:4304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1C6A987B4B0CF81C64F418964D02E590.mof
  2⤵
  - Drops file in System32 directory
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D17F2812D61D6A27510A5356CBCB2C6.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D2F2472E8915C165DD3667793DD6216.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D39564B78F00E3F6ED4B4A5662781B2.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D3D7B63AE783F3DBBD4FD9F43301BD1.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D770486C382CDC6F1CD832E1D040FEF.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1D8E83D3077F05426D7F5E7C92A52BC2.mof
  2⤵
  PID:760
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1DD21D310EE87FB8B3301E43E53F9548.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E3959634C12CA1C92AEBB0AB0A0CD47.mof
  2⤵
  PID:4924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1E50D6323FD92D3DDCD8B52937074C9C.mof
  2⤵
  - Drops file in System32 directory
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1ED415C5FAB66F75A8BD9D906ED1FD79.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1F539B7D89D5675D5FBC71A5A1E7C62D.mof
  2⤵
  PID:3272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1F5D7EA255DEC718E6C93AFC61039C12.mof
  2⤵
  PID:1100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\1FD16EA55AB471DAD65A8AE31A92BFE1.mof
  2⤵
  PID:316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20916DA71EC75FCC409872C3207D9C60.mof
  2⤵
  PID:3068
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\20EF0B41F86B67FBB71739AA19D6F941.mof
  2⤵
  PID:3860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\210892B3C5033337B5C4FCD68AA35128.mof
  2⤵
  PID:352
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2131A60D40501A974386B9E42E4FC201.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2174D8A485DAE80D1D90B7E5430F164F.mof
  2⤵
  - Drops file in System32 directory
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2215A345459824E0504DB85AEBB502CE.mof
  2⤵
  PID:3268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\22C5E271CACABCBB6D1BF416CB483DB1.mof
  2⤵
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\232692AF542DAC9C19624048D7BCE0F9.mof
  2⤵
  PID:4372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\23FFA2BEE2CFCB552EEC22762785E6B4.mof
  2⤵
  PID:4856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CCB9BAD9B50F42124D935083535916.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25CE4D0A477A7A536B1F5C9965A6C9E4.mof
  2⤵
  - Drops file in System32 directory
  PID:5104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\25E9A5A2000F7483536AEC7F5BBAD557.mof
  2⤵
  PID:1984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\265FD3983F420D89954E000E4E311FC5.mof
  2⤵
  PID:4500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\26E8FD3933B4712ABA50053BBE27630F.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2794DD6CC13BD11ED558AA64C449E6D7.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\28DFEEAE5E755E081510079AEA4BA2DB.mof
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\29B55D1D5A0BB6BBFD2F6F1D35B3A1BB.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2A2AB14E79261C4C2272F4B50901244C.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2A8F8C0C68BF867A9E2A7AB38260A4F9.mof
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2B416E2919A9D497584044544D3C8433.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2BF259128A811B9C7417AEAD9F596A8E.mof
  2⤵
  PID:360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C688638F731D0D535DBB9DA2F979753.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C6A80FDED75E46CA733976E382559CC.mof
  2⤵
  PID:304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2C7CF4E1EA79BFA00DDAAADCB67FCA96.mof
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D0F883F26EE14287D5262E2FC93E3CE.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2D1A849208186237BBED16B3B5D7238E.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DB099F474FFAB578AD726E4F2905FED.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2DFDBD25A9B159E6B632A69ADD81F446.mof
  2⤵
  PID:996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2E4D19AFECF3B4188F10CD16C8BB92E1.mof
  2⤵
  PID:1316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2EC8433E19B30A13955120CB32A18CFC.mof
  2⤵
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F0CC20947142CB05C49044919898802.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2F58A8772B1579A81054587DFC0A68CE.mof
  2⤵
  PID:4224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\2FA567F6FE2F89694B594B3FAC75D6DF.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30711D4696101AA94690C8C51432F5E2.mof
  2⤵
  PID:2840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30A5229E4F736548D2D9FA13F92C9A82.mof
  2⤵
  PID:1208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C22E5728F64CE0E1605A4A77934948.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30C3808B55CD6C563447B44FC4E9BAD8.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\30DFAF0BD5AD387D985719F41E186AD5.mof
  2⤵
  PID:604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\31998CC82EC1ED985097054B275161ED.mof
  2⤵
  PID:4780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\32057A09A1167F6F66F16DA67DF1C918.mof
  2⤵
  - Drops file in System32 directory
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3209C3555EE020AE8FA1C869C6A591D9.mof
  2⤵
  PID:2104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\320EDC28FFEC3C708AB2DDE6C70FD624.mof
  2⤵
  - Drops file in System32 directory
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3281CFB9A42D9486C40C0A4D010D65E6.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\329A6D1E4413466F2111A8B0F5C0A51B.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33295A3A1D28CAE3DFB6C5167CCAAE6F.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\338BB90D61D579C0DCB5D57D723A51EE.mof
  2⤵
  PID:4900
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33A13765948753719F44CA6F7E586909.mof
  2⤵
  PID:2896
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\33B9B81C996ACC2B2000070519028F72.mof
  2⤵
  PID:312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\344FC63DB23C44805CA5C08EAC26522F.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\345C49713BAB91E320E0183986F86818.mof
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\347C4407B808EB65CAFD16126D73D922.mof
  2⤵
  - Drops file in System32 directory
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof
  2⤵
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\34945C148CB28454DF772D7436BAE73A.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\361C55667115751869AC74207D28DCE7.mof
  2⤵
  PID:4224
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36A47C4202A2694FFD79C2BABBD02788.mof
  2⤵
  PID:2316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\36AC724DE559C5D39EB46462A440D4E5.mof
  2⤵
  PID:724
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3704297DA195A3B2DADC6D89B6226662.mof
  2⤵
  PID:3812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\371088BC97F0585065A1A08ED83172D6.mof
  2⤵
  PID:4652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3778D40681E80056E0C63E6CB18E9E37.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37846654B2AF369ED3D0A3637E941D9B.mof
  2⤵
  - Drops file in System32 directory
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\379E5EC415D0E0A49EFDD4B3564BE048.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\37D4F7E4435BDF811F1EC2CBA1EF4A10.mof
  2⤵
  PID:2184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3855849167EAA03A99F4C8450E15A6ED.mof
  2⤵
  - Drops file in System32 directory
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38841DF145EDAB1901F40F6B9A6AF4AA.mof
  2⤵
  PID:2752
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\38F922911FA0CAE637E5D1EB1013D0F1.mof
  2⤵
  PID:360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\395955902B64122A6EF58A130F284979.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\39C2F82384C755EF218F0F19FE619F80.mof
  2⤵
  PID:304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A2F8881A3B96DF2374FCEFB35545D6B.mof
  2⤵
  PID:2852
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A65AC537877D583303AEEF0342B5D51.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3A75BC18F00746E3EB756A5A8AB71D56.mof
  2⤵
  PID:2928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3AF58951EB00AD264E4FCF4BA804D893.mof
  2⤵
  PID:688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B443485D5F96CA9554D404AA52A1633.mof
  2⤵
  - Drops file in System32 directory
  PID:3020
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3B60B0417CAF81D69389063C334577F1.mof
  2⤵
  PID:4456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BB167BC6A619E5D11B40C8B9F699327.mof
  2⤵
  PID:968
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3BBB431B659936EB58D4574BC05768CD.mof
  2⤵
  PID:4604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C03DD39D967893238742C503189BA92.mof
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C11F3A2BFB9588C467B72E02345362F.mof
  2⤵
  PID:2372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3C90AAC6E581F57E99B164C33906BD30.mof
  2⤵
  - Drops file in System32 directory
  PID:1208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3CA3E3E8C27409E2288B236F5F414F56.mof
  2⤵
  PID:4204
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D486D2EBFD5C380959985A548DC1308.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D7D7734943CA5F273BDA05F3E1FA20C.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3D93BA5591BD981C5D5D6E2BEFACAA50.mof
  2⤵
  PID:3404
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3DA405CE6ACE7B7A8320D68D317B9729.mof
  2⤵
  PID:4232
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3EB36FAFDAE870DF05542C0B4AAAD7EF.mof
  2⤵
  PID:3272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3EE2F37B4639F4307BAF0C707B092F7C.mof
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3F78FC5E2CC6CFD8720C796D34A544F7.mof
  2⤵
  - Drops file in System32 directory
  PID:1496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\3FFDD473F026FB198DA9FA65EE71383C.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4001CC0C4B56CFDE0493013FC1D9DD0F.mof
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\403B948C3850C376E6FCA88EF3F5CCA8.mof
  2⤵
  PID:4268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\407E61D88570FDFD5EC8891DBF9A3EBC.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\40E224B18F4493C1B8E43DBC496D8E68.mof
  2⤵
  PID:2972
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4136DDD03841D93F3D820441F60BE055.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\413CED83449192A10E66EAD24743140E.mof
  2⤵
  PID:3748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\42CB2CBBDCBB0DB751E51FF6B279C524.mof
  2⤵
  PID:196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\430091E25BA6C7FE2FE5DC31776BEACC.mof
  2⤵
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\434B7316BB2FAD82DC3E5784AC46B4A0.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43535D7A73D735DEFF9DB83057553D39.mof
  2⤵
  PID:168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435A088CDF6FE7426084E4B35C1E81C7.mof
  2⤵
  PID:1984
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\435FA4D2CAB38A1853F91A3BE8F89D4E.mof
  2⤵
  PID:1216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4371EC94BF996AF79B062599D10C927E.mof
  2⤵
  - Drops file in System32 directory
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43AC153E4DED1737C66AEC0C7EAD9430.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\43EDE2715871F08D0BEFB4C9DE69E247.mof
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\441A12A68AB1A20902A131356BA4CF30.mof
  2⤵
  - Drops file in System32 directory
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\44B487D5879BCD6C593C9066936D12AD.mof
  2⤵
  PID:4188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\44C46B87678291B7CFBF7D8A6452D98D.mof
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45277ADB2DA919AFFF18833506353174.mof
  2⤵
  PID:600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4552656C2901FB1533D6679D49B69929.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4561B54041D5F414CB02373F78461708.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\45909B0D5A9FD1FE57C8BD13773D4358.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\46F812454290EE1E870544BFEAC8C7EF.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4795058F848A6BA6FE24E0530CE2E2DF.mof
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\47C87AFF6DBF51980E7CA3E36C38B86B.mof
  2⤵
  PID:4268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4846320185EA62FBD8507FD7A9D87E61.mof
  2⤵
  PID:4300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\48959878DDCA03B0FA77D806C7C5D743.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\49C04C47AB946E0864486F81F6E251BC.mof
  2⤵
  - Drops file in System32 directory
  PID:4100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4B69CC652B5189D5B2136DFDC5369593.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4B95063FF713676A54E7221DF8245C78.mof
  2⤵
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BD7268ABFF9CFF22DA57949025E2667.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE30AA8CC2C4C06B41336B9B3878B1E.mof
  2⤵
  PID:4604
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4BE9D6CB921FE137B78AE9960CDD98B0.mof
  2⤵
  PID:1536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4C3FFB127B4E9B67BFACD89178DE3DA3.mof
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4CCFEF2D31696D11C8735BD7C8BE14B9.mof
  2⤵
  PID:3688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4D9BCF0F509C90FA86E1ED3A34E158A0.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4DAE009EE0BC4B9ECA96E59E303AE1E5.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E20565265CAAFBDB6BA1B1C1ADA9D96.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E34C76D83E2430D779FE9AA17E87200.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E5EE363F62039780D739C7FE128A149.mof
  2⤵
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E8CF66DA5DBCEE8F47DFDDF0B14DEC0.mof
  2⤵
  PID:2476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4E941341E008BE47EC9639A14271EBF0.mof
  2⤵
  PID:316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EA32ABEBFE9B0697C450693940F1673.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EB0E9424AFEF8E5D68D78C36620E253.mof
  2⤵
  - Drops file in System32 directory
  PID:4532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4EF05404F86FAFD7EDAB80262970585E.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4F4AD4093274B7A7FF28CDBD5AB3032C.mof
  2⤵
  PID:304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\4F7C501B863AFCFCE3AE018AC07191F9.mof
  2⤵
  PID:2092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B277BD2B3C116DBC38CC2D1EB7D427.mof
  2⤵
  PID:3268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50B5B38557DC642A4BC7282A0C8C4AA2.mof
  2⤵
  PID:3300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50E7AE0A90085737B8F04CDF9460DBEA.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\50FC9EDA1918FBC981D89D0390125308.mof
  2⤵
  PID:2496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51588E4AC5E59453F329EBF5A215ACEC.mof
  2⤵
  PID:4148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\517ED769F6478117021531216F609C27.mof
  2⤵
  PID:3036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\51B9369C31C913E211D29AA4D91D4747.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5232DBC5D3EE8EBCEF6CCB4213399B9A.mof
  2⤵
  PID:2316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5241D310A7F9B793E5E9EC39E65B7B44.mof
  2⤵
  PID:3576
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\52DF56A47A08AD380228C64827D24548.mof
  2⤵
  PID:2436
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\531218B396F02B35771F8AD1965A574A.mof
  2⤵
  PID:3812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5312CF8C0E1EE738404F2A6E526EB4D0.mof
  2⤵
  PID:4652
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\536E5C7121076D413E48A32D54E26EA3.mof
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C2FC20B111DA763C20CFDAF7624A26.mof
  2⤵
  - Drops file in System32 directory
  PID:1348
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\53C824D10974E3D64CB1537B2770F4AD.mof
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\553C27B9785BAD9A0C6E81613DD3FCB4.mof
  2⤵
  PID:2476
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\554B4465433438F4FF7B8D7AB981B555.mof
  2⤵
  PID:316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\555E8EEF9A21E3F26C263316A778E15F.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\55B1D144C8C3666C687E454A80906ECE.mof
  2⤵
  - Drops file in System32 directory
  PID:500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\563EAFFF3BF92CE3F60EAEE4EB18BBB3.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\568257F0F7CB54EB479EA5E39A4ACD57.mof
  2⤵
  PID:996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\570CEA2150DFE3FABA503A81C35963D1.mof
  2⤵
  PID:1800
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5731B1CD62369AA3EF2B861A7BACB2C5.mof
  2⤵
  PID:1220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\57985F4723464E47CF133A601D28906D.mof
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\58766C70A633CC3A5AC9393E175CA63A.mof
  2⤵
  PID:2408
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\58F2015134CCB0F7652C9320D9357B79.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\59481CB78111FB31D37EDAC9647FAFD8.mof
  2⤵
  PID:5104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5960F40D2AAABA9E743AFA7294468C25.mof
  2⤵
  PID:516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\59A5343CF85A83AE1E7B5EAFC71ABD66.mof
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\59C780751B7740A822CCE33528AC1E14.mof
  2⤵
  PID:3444
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5A7BC66EEC954487F6D9911DEAF052BE.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5AE8909013A93E238FE02AD459BBDA3F.mof
  2⤵
  PID:4252
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5B18367075FE563AF4A12EA837278D84.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5B4B75183FE97E2D052EE74E519015F4.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5BE557A291C3EEB7FE628D8099DD0CD3.mof
  2⤵
  - Drops file in System32 directory
  PID:4504
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5C704EA3E7D7B64E50D00711FC13CD34.mof
  2⤵
  PID:2124
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5C81F6E368BC71D1D45E2D9206EA3FD0.mof
  2⤵
  PID:4160
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5C8CE9E608C8192171A5B93767FCC960.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5CFEE986112963509926EC8912E14D25.mof
  2⤵
  PID:2100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5D75A4D5A6D14E6061698FB7BED0446A.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5DFFB5C73CF04EE22E19BB74127846D8.mof
  2⤵
  PID:5100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5E69759D567F673B36A59095A347BF07.mof
  2⤵
  - Drops file in System32 directory
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5EEE7ED3AD74F7D10B2058BB7C19B751.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F037A89915D44B8819F9FCFDE0B489E.mof
  2⤵
  PID:2664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5F08E2D70EBF81C77FA4C99A0901A6C8.mof
  2⤵
  PID:1564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\5FC405F33502FCF8B5292EFDDD9AE4FA.mof
  2⤵
  - Drops file in System32 directory
  PID:4100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\601C41633EC4EEE1FFE41D65491BABD5.mof
  2⤵
  PID:4856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\60B3B69ABC4366405469AA15F5B33006.mof
  2⤵
  - Drops file in System32 directory
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\60C90B334F5FD0AD576CC5FFCECDFA9C.mof
  2⤵
  - Drops file in System32 directory
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\617D2BAEB248E81618E2D9342B7323AD.mof
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\618DAF27B2DD9C7384C9866B3C604A9F.mof
  2⤵
  PID:5028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6199F396C445A25AF1DE1CEFFF072560.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\61D0174ACBF8E43615E6DF8019C0583E.mof
  2⤵
  PID:4780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\627EE3812DC7A5BF704C057D238F75AA.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\62FE034F36B9ACAF125049C4EB64D6A7.mof
  2⤵
  PID:4188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6340973172727B5EBAF0A64E92C26B73.mof
  2⤵
  PID:3312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6364E8D3F688917ECAE1050954B63674.mof
  2⤵
  - Drops file in System32 directory
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\63B2501D71A2DE162EA12C3CACF8C488.mof
  2⤵
  PID:4264
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\644B35DCD280DC69AED674005133C98E.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\64B4796A957F50D8E37415358DC4011F.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\64BE228C7C03C2D993371E5195306859.mof
  2⤵
  - Drops file in System32 directory
  PID:3136
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\652B32EA4449A9E8AF422E70ACDF46E4.mof
  2⤵
  - Drops file in System32 directory
  PID:3096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\653734ED42B7A9B62F119AAB8C9521D8.mof
  2⤵
  PID:4088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\657F8341C743B485575944BF32E0125B.mof
  2⤵
  PID:312
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\65DE946825EFC13018FEB489315181A4.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\662DD1E431BC9D4EB784D7D662BF5114.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\66501D267ABECB2CF3315642D1881501.mof
  2⤵
  PID:4372
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\66B28EEE188E29399051A60BAF92D333.mof
  2⤵
  - Drops file in System32 directory
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6717E3CAA50A3943B61329778C1DD781.mof
  2⤵
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\671DBBDEA9073F2E4CCCFFF6957044E0.mof
  2⤵
  PID:2492
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\674888C18C2BA74E9DE8F74501330DC0.mof
  2⤵
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6780F8CDE9A603E0A830C9603F2F4D0B.mof
  2⤵
  PID:2720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6808D4839451264DD18BB2454D45479E.mof
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\682277A939A770BB800CFE4F205D7891.mof
  2⤵
  PID:2996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6874681F627A133631133FDFA2B4FB8D.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\687CF9D31E514545A07747EE9CC567AB.mof
  2⤵
  - Drops file in System32 directory
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\68882E3FA69BD52620343D172BE84815.mof
  2⤵
  PID:4188
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\693BB2D22B37188C506A30563317E1D8.mof
  2⤵
  PID:4016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6984662FE0A2CC634E49E525D17376AA.mof
  2⤵
  PID:4276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6BCCCB82E5792A665667D7E41CC45168.mof
  2⤵
  PID:640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6BFD34C0EBE9B3A34F525B51261858DF.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CBA7FE164696851E3674A4FC046F926.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CC07C0289722A5549B9C30F76C249FF.mof
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CC685AEFC129C8DD86F9036F17E943C.mof
  2⤵
  PID:2340
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CD4AC2A2B648ABFE8F2F90A5D07829F.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CDB91CE30082B98FE1BEE23E422804C.mof
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6CE4D05BA5B97F5FAAA40312E14F0E81.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6DADEFFF2FCEDD93F8CEF59036FEF4B9.mof
  2⤵
  PID:3428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6E5FACACD2BA0A27C7AE761291F7BED1.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F2F026E4006B8443E4D6AD8DC43B8EF.mof
  2⤵
  PID:4620
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\6F606DA76B5A34FEC3A95B874DC14C2F.mof
  2⤵
  PID:216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\70121DE772621FEB6480A1C9A3475D5A.mof
  2⤵
  PID:2240
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\70138AC07076B005E1CFA39BC5BD9175.mof
  2⤵
  PID:1208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\71E680EC580A0039A775A378ECD836FF.mof
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7282BB1A61AFF7E0656732EE80CEB6FD.mof
  2⤵
  PID:4464
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\732BD24D0DF3B5E7191B301E55CDD6D6.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\738F657B98502C3F07A67FDC669EB8AB.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\739CB6904442C4B4092104AACB73DBB0.mof
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\73C8F1FE9282D72F1684DA13FF1346AA.mof
  2⤵
  PID:600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7402D0FB5599777D401744FC6DD201D7.mof
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\740FBFCE4E4515C86E8C7E9D18A58DF4.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\742B2F1B414C6E566B6BDF87D12D8AA4.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7450D0DEE62770FF1E5C905B1BAFD42E.mof
  2⤵
  PID:1632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\74AF2F8E62D0745F958B573494C439C8.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\74E621F5E9C4849D83DAC55AC565A76B.mof
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof
  2⤵
  PID:1544
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\757421178679BC54A733A7C4F3DAA07B.mof
  2⤵
  PID:2284
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75B8AD308277AE2AEFCDEA0B6A7C3C0C.mof
  2⤵
  PID:1448
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\75F3B2B3A615155BFB2E7C19531A197A.mof
  2⤵
  PID:3428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\76118EA7CDB4BF4005AD84DDF6CE2E66.mof
  2⤵
  PID:168
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\76367CD152E34AC3DD8007741C968AF4.mof
  2⤵
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\76A3CA62703735BDC186B9056247C8F7.mof
  2⤵
  PID:1656
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7716BDB243C38A4A24E728B3817AE0F1.mof
  2⤵
  - Drops file in System32 directory
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\77E1FE7C589B0FE237874F7EE517A0C1.mof
  2⤵
  PID:5028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\784F84C1F101285B20E218ED2D09CD89.mof
  2⤵
  PID:1276
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\785C9F9CED5D122AD92D6BC91312F7FC.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7891546B010C902B9C8DE33F55F71498.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\78C249F8A099AEA6A25F33F09F50FB47.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7950D68C8C6F669B94D3E488F0B6BEAB.mof
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\79EF8F616077A833BE2747809180BFA5.mof
  2⤵
  PID:600
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\79FE6B25E5B132F33880B7F44A66B758.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C6FCEE9F64D2CC890D867AB97DEE424.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7C7E3220AE92EC87E0436ADE3F5D9931.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7CEC0B7114C0F4A2F6AABCEF53246585.mof
  2⤵
  PID:2052
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D1DA389789509D61D1AB66097581992.mof
  2⤵
  PID:4624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D60FA9CA39C59A4B7C96DEFCF0B1B01.mof
  2⤵
  PID:1888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7D8C933AA5FE34FA3316DA4B6E09E654.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7DD87359B51EDB79AC235F97E726EF5A.mof
  2⤵
  PID:4328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E12C6950CA7714D731D5313649CA457.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E19C857E35FA8D70E57B0F1CB21E5C7.mof
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E261DD810136592A2DAAD37A3EF386C.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E4466504BEF670F4735843135B2ADFD.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7E856BB33FFDA1141B90AC29735FB9FA.mof
  2⤵
  PID:420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7EAB83B6B5BC37690D2D1B3E22DF7D9E.mof
  2⤵
  PID:4500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7F3DC6EFFFDCCEBC37B17C2FDC124638.mof
  2⤵
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FAB1F3A2B36D6EA27A3DB4EC39C7BD0.mof
  2⤵
  PID:4748
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\7FAC187A43CA71A854CA4653D8E075B5.mof
  2⤵
  PID:4924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\80064700E82C89F9D3E945021BA8C32C.mof
  2⤵
  PID:220
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\80571CB6E9439E1C98BA9AC3FA28D3A9.mof
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8096010E847A7DE3A3F69A61002DD563.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8151A5CF9B90099D16EDB3EADE4C8CD3.mof
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\818B866A009B1338C5AC103B2D8E2372.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\81FCAC08918AF581FDCB45931E356981.mof
  2⤵
  - Drops file in System32 directory
  PID:640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8243D67DDA3785DAD59ACF70CFC203DE.mof
  2⤵
  PID:2460
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8266DC592F01723A90239C659F1FA6C7.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82DA351296066664DEB012FCCF6D07AA.mof
  2⤵
  - Drops file in System32 directory
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82DA415A8C75204A2D758E6DAD53BC36.mof
  2⤵
  PID:4088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82DFEA0FE38074528C86FA0695FC7E37.mof
  2⤵
  PID:2208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\82FED0C3319594CCF4117CB3B34B5F72.mof
  2⤵
  - Drops file in System32 directory
  PID:3300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\83E1D5D490B9335941305F44058A6755.mof
  2⤵
  PID:3712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\843980BE43ABA52AC77C57DF068D59B1.mof
  2⤵
  PID:4328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\846AC8E6E788D5BDCFBB697A233A8993.mof
  2⤵
  PID:4152
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\84BA101DF0936E1318EE1EB10539C9CD.mof
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\84EBC179129822B0E00C47B7528F1FDC.mof
  2⤵
  PID:2732
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\84FD82C473BCBDEA6CFCD53DF80D6022.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8588C815441547988C5E4B9CC6CF7351.mof
  2⤵
  - Drops file in System32 directory
  PID:4804
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\85917F125E29280A85EDFCDC3B0C8170.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\868B5F1DDD5C341C50C0D359CD22F37B.mof
  2⤵
  PID:4780
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\869B30EA34E0F5E56CCBB130AAC2BFA1.mof
  2⤵
  PID:3812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\86CAC2AF84F4546D81A07C72C8591F6A.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\86F4330E57637679ACB9F17E5F9481D1.mof
  2⤵
  PID:2004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\86F83A7235F3DC2A6FCDEC052E1E1C74.mof
  2⤵
  PID:4016
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\87218B3AEA759A53DCCA78D6B9BBC66F.mof
  2⤵
  PID:708
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\875B0EAE58DBE30E13A8DB610457D0AD.mof
  2⤵
  PID:3532
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\886EC825992F9DCB7AF34306DA80E12D.mof
  2⤵
  PID:4092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\88C20208CDD4638C0381F2B7EC657564.mof
  2⤵
  PID:200
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8935BD8F59955F30D52E141E311891AB.mof
  2⤵
  PID:1924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8999FA8F96032A452671DE654F9BAD9C.mof
  2⤵
  PID:688
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\89FA1168564BA2D42E7C412972B44BB5.mof
  2⤵
  PID:3208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BA44FC08995F15033A9F5D56C8BFC72.mof
  2⤵
  PID:1568
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BC8F7B477D3C6C3184AD0372AEE53F6.mof
  2⤵
  PID:4784
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BDE235F11AF9276AB26638F45341094.mof
  2⤵
  PID:2456
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8BF0E140F8F40D230143B569A1BAE507.mof
  2⤵
  - Drops file in System32 directory
  PID:4632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8C11323D7C773C8A79C1C61EB62FE331.mof
  2⤵
  - Drops file in System32 directory
  PID:1428
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8CB4C42331F0F4BBCC8E1580131EDCE2.mof
  2⤵
  PID:4772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8CBA2BE847D0B28A440C5F24567B0891.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8DB46DD597956632ECDB18D7B2BDF70E.mof
  2⤵
  - Drops file in System32 directory
  PID:4500
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8DB9DE86229327C5777721E4A01FB6B4.mof
  2⤵
  PID:4488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E733CB38D1CDCF7377912244F95A3ED.mof
  2⤵
  PID:5028
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8E84BA6D260667ADAAD89BFECDD627CB.mof
  2⤵
  PID:932
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8ECBCCCC7B4A9C11EC33A03B6E25EA5B.mof
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8EE122F840F244E3AE065AF9ADB16CCD.mof
  2⤵
  PID:3148
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8F07ADF9734C090207F52CC2C29F17AF.mof
  2⤵
  PID:2916
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8F1ECB08E7908F5D543B0D9386C0EE1B.mof
  2⤵
  PID:2292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8FAA7CD5955A0D5862A90FAA2B0A56F4.mof
  2⤵
  PID:3860
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\8FCABF54BDCC2D55C8203E3B81BAC5FF.mof
  2⤵
  PID:2632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\901B1F181D1D82C168094975DEFB52F3.mof
  2⤵
  PID:4528
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\902F9B116F0B37B699E9A1D4BB1E2784.mof
  2⤵
  PID:2488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\90B516E096C71C814FF03EE3F4B20042.mof
  2⤵
  PID:4756
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\92D0D0F85E3CD145C08A6B0FA1E67013.mof
  2⤵
  PID:4820
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\92EFA8432E609D6F315DD0A3CB41E1E8.mof
  2⤵
  PID:3096
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\930C5E176BA9A3D78B730BC00CDDF64E.mof
  2⤵
  PID:5092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\945C37C794BCB294DBA8E445FF2C9DB6.mof
  2⤵
  PID:1316
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9476FC534A628F39C9E25CA2F2B7B45E.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\94D3468248838C60F808E50FC66A40D0.mof
  2⤵
  PID:3712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\953349B5ECB359DD058D07088EA31408.mof
  2⤵
  PID:4328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\95C6129A16411671ED974764CC24C800.mof
  2⤵
  PID:4320
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\95E06CE9FC028717015354732A36A6C1.mof
  2⤵
  PID:2412
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\960C76B3B2B322906970277571EF6F3C.mof
  2⤵
  PID:2472
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\966B95F249EDF54D9BE98C23AD9B758A.mof
  2⤵
  PID:2840
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9694C920807304FD0F9730304298FBFC.mof
  2⤵
  PID:1928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\96E2369FBCFC254F09B1EA2AF6E7641A.mof
  2⤵
  PID:3536
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\97479A7EBC4B4FA9A0F0C7EF9A25471D.mof
  2⤵
  PID:2832
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9772382673B9BD1FECD8DED342DC39F8.mof
  2⤵
  PID:4580
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9787DADF23D03D83A63DC8237E63E3EB.mof
  2⤵
  PID:3420
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\979FEF94607A8F13E19684C45FAA30EE.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\97C10655E91CC076C4E294C0127D974B.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\97D74F86BDAAADB7B4674A2E199ED992.mof
  2⤵
  - Drops file in System32 directory
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9823053171CF53F4038B0801004F87BC.mof
  2⤵
  PID:4480
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\98A650FE1443CF2F953B6628EE432373.mof
  2⤵
  PID:1836
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\99BB0F4219E2381969DCE76BF639AC68.mof
  2⤵
  PID:192
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\99BFB05D8CE546325B5205C32233A3BD.mof
  2⤵
  PID:2872
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9A977B776702BB9FBB29D1FCCF5F778B.mof
  2⤵
  PID:3488
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B0C875B0F6F2F48FB2B5C587F50979C.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B1ABD0CEAE78416529CB8D77CEE7B3A.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B26A1BDCAD9675ACB32D78DBA6F76AB.mof
  2⤵
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B69BCC6C9FE867D2A3B64ECABB53826.mof
  2⤵
  PID:3216
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B75C712017ED3DA97BEA0D4949BFA74.mof
  2⤵
  PID:1816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof
  2⤵
  - Drops file in System32 directory
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9B9501A9E26093612D20F39A895DA307.mof
  2⤵
  PID:3624
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C1784EBA4E907589027FCF72DE4C0AD.mof
  2⤵
  - Drops file in System32 directory
  PID:1044
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9C531048714B59E157A371D1186F796E.mof
  2⤵
  PID:1208
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9CFE6E9E20D61400007C08E31ED048B4.mof
  2⤵
  PID:396
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9D40E5B032950BC9770539F90AD86275.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9DB628ECA9373F2BA3BCBB592AF60665.mof
  2⤵
  PID:2328
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9DEA7F87EAEC9FF8770E55D5A6D8CC91.mof
  2⤵
  PID:3104
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9E8B373EB1451CC4B43C871707D12D3D.mof
  2⤵
  PID:1920
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9ED719089FF4652F4929D88C64B6A1AD.mof
  2⤵
  PID:1936
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9EF608904C4706610FDA20D08530978E.mof
  2⤵
  PID:2108
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9F39E54D6756FE5D64BB6FED194D0894.mof
  2⤵
  - Drops file in System32 directory
  PID:2120
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\9FD6F6552A18165F88BF080B1B4DF1DD.mof
  2⤵
  PID:4092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A03E3718C1B8425EB481A1EC4850275F.mof
  2⤵
  PID:5100
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A067787F4F1B728DE125898181C42609.mof
  2⤵
  PID:2928
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof
  2⤵
  PID:4088
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0A63361726BDAE3BC29B11F7526AFE6.mof
  2⤵
  PID:4496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0CC7ED8939B47C1ED00EB9F04D19EB0.mof
  2⤵
  PID:816
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A0DE0DD786E0E9020C3DFD7004E42694.mof
  2⤵
  PID:1640
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A16EB1FCF4FDFE5542D9FE85FCF4F0E0.mof
  2⤵
  PID:564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A269D70CB8C799952AAD6684D1506485.mof
  2⤵
  - Drops file in System32 directory
  PID:4864
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A2D118894CA6FCC71ACC7DD86296B7A8.mof
  2⤵
  PID:4644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A30FD18C5DC0924B89944F8ADE638E27.mof
  2⤵
  PID:4484
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A396597A6767121F681B483A4B28ABDB.mof
  2⤵
  PID:3004
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A39A3B3270FEF11AE8ACF901E67BE359.mof
  2⤵
  PID:3564
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A46C038124134B1482949A1DF8ABB385.mof
  2⤵
  PID:4468
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A572284932D45BDC47401871C2E01043.mof
  2⤵
  PID:1556
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A5B62AD916B641B7A8365E1C7C9C7544.mof
  2⤵
  PID:1196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A5E0C63B1E67223D493A65CA08D7339B.mof
  2⤵
  PID:2960
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A71089353F923E1FA26964C3E8153739.mof
  2⤵
  PID:360
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof
  2⤵
  PID:5076
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A7D7570238274B86C73F2E9009BDF74F.mof
  2⤵
  PID:1000
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A808A31E629557CF0D5F92D5D87BD706.mof
  2⤵
  PID:4292
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A837677C21EC0ECFEB9B10CCD2FEB0E5.mof
  2⤵
  - Drops file in System32 directory
  PID:3056
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A88BC3FD19AFFF0EF5E5DD4A97F9B953.mof
  2⤵
  PID:1304
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A93568B935C29F9AA2B5DC62D4964431.mof
  2⤵
  PID:4248
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A945F8B7098A596A55A7303B78BC8CF1.mof
  2⤵
  PID:1996
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A97B345CDEAABDA620BFB72AD2A07100.mof
  2⤵
  PID:1036
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\A9FBCB4593D76446A380C3F3421BC2A7.mof
  2⤵
  PID:4332
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA10CCACD6B301F2187572F1FD684AC5.mof
  2⤵
  PID:196
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA510EA6AD14A8BE52A7D659281F9BF3.mof
  2⤵
  PID:4648
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA6235372BA3751E1E4C601E6263D02E.mof
  2⤵
  PID:2796
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AA69B9C8BBEB509BBB296FEDD7B5ED23.mof
  2⤵
  PID:4664
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB2AD61FC9800DD5C7751E4270E02730.mof
  2⤵
  PID:4184
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB3EC8C66F16D96107223E8469ACA854.mof
  2⤵
  PID:4772
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB545518DC0F250493CCF5B36A459568.mof
  2⤵
  PID:516
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AB947196AECC60D0365253863489134A.mof
  2⤵
  PID:3060
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ABA2825A827A4760BD2251B8B781B271.mof
  2⤵
  PID:4924
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD20F64F9DDBB4AB72E615A132B55377.mof
  2⤵
  PID:2112
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD4ADD965106D211E524A76F9B368A14.mof
  2⤵
  PID:1628
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof
  2⤵
  PID:4812
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\ADEE1E4F403A605328D0002B7C6CA9C7.mof
  2⤵
  PID:4524
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof
  2⤵
  PID:1496
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AE796E3468AD0D0C250FAA45259E22DB.mof
  2⤵
  PID:1644
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AE8C8067E61E868B002C481CE87EBE05.mof
  2⤵
  PID:3272
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AF451AB4377D22C64822DE9E01B1F4E8.mof
  2⤵
  PID:3720
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AF45D4D704EA10EA55742D1B3C8C6CE2.mof
  2⤵
  PID:4880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AF8191ADF52F4156FF8D54FB39842A54.mof
  2⤵
  PID:3268
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AF83007CC746311C7050A636C44C02DA.mof
  2⤵
  PID:2848
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFC3C909161915255AC43F522C25B858.mof
  2⤵
  PID:4300
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFD8B7D322EE2A1CB2BAF41EC0ADF626.mof
  2⤵
  PID:2012
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFE689599143A3C959EC6ED84C5AE1F9.mof
  2⤵
  PID:1988
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\AFF15E95C194C0034BFE43E5853DEE63.mof
  2⤵
  PID:4560
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B0ABD547895829AB29B56F0812CBB823.mof
  2⤵
  PID:4632
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B0C53BEE6C437337AB024CECEE878418.mof
  2⤵
  PID:3712
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B10EF7584FC5D16C42403B0CA5BD4DFF.mof
  2⤵
  PID:3008
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B1FD5C4B728DEE34C2744E42C11D8760.mof
  2⤵
  PID:3092
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B250BBA224E8A08823993336C7CB7011.mof
  2⤵
  PID:1856
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B25479026E9AAB36CBEBFF51AA0E32B5.mof
  2⤵
  PID:3704
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B308B28244CE4219C4C6B3315FA83200.mof
  2⤵
  PID:2888
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof
  2⤵
  PID:2880
- C:\Windows\System32\wbem\mofcomp.exe
  mofcomp C:\Windows\System32\wbem\AutoRecover\B48FFF8D8BB2AE842F6650E8DE95B954.mof
  2⤵
  PID:2328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
678B

MD5
060c8d5d7d483589c604b49f28f1a9e6

SHA1
22646e3600124f405958b80677b44559d783a27e

SHA256
249fa5fc3f537124e0a937c38abfd3251d2f15ab9ee3d0562b3824da995c6e92

SHA512
7fc9f2e19b22dd3ab9fdb0477712765e65b3f0e8934645cd88b6d83e9719a477f106b736b232d6a6c1de309af67fe7d81b207eeab8d34608a12fd4dacd554e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
92033917709ad4573b5e090a17a0a154

SHA1
7b6e2032a6e9cf39d655a3ba5db591bc141f98c5

SHA256
ff550c2a6ee9ae53cd2e57b270073d4822433519c2397ef26ad9e56d25a646ac

SHA512
405ef64c239a1dc58a09b7f71da01c2e1dc8898c648d14eef843a8392a98734686361b421cdc1ae5e6172781f091391027514a1e15cb14bf80310e31d44b08ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f59218dcfb649cffe2358707c0fae7e7

SHA1
12f726a1312d057e6d3d8e36525555b110eb7b93

SHA256
cfe3662ccfda185af9449716e22ccf7be55d18fe7f3c2e69a19dee287e136df7

SHA512
68d8f0fb366f6afc5e2102db0dffc55ec1116fa85c8f2af883b86016f70dddb8bb1a774821cb2dc5136ca66b5fa3bfc22bc95a6a9a2d4e6011a79637f109af39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e3c7b3c2bd3c7f8a243fd6dad2a97aba

SHA1
1240670ff6eb622594f4e6e0bc640175fba50d6a

SHA256
0d4a175002e5e80c47f719c3961bc71e4d5149f806f6a297505279c98a909cca

SHA512
616457ffcdbeb623c7df89f1648ebf226ccf7d70c22c0abf835a543122d6260ff5a3e609a47588dbdc23c8a02227a6273e95f33838697d6e35592c5b98c88bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
3e2238507916339779adc151b976cb7a

SHA1
67150085a33b69147dd59e9e83aa39d937c6b1fa

SHA256
b0cb4b093f62d6037039037ea324648b76a6904e017564de9f2611efa58af9b3

SHA512
99ff702850c6c6fb11a2d8a303aae76bd7bf1d071d84978309ec9da3836da8be321dcabdea3926745196813ab75958b61b1dbb334fab9b5efe1075589420815a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\efe9e0dd-8415-42ba-9d00-c7e9541c3adf.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Fang3 cleaner.zip.crdownload

Filesize
334KB

MD5
38be8f2033f5f5022732e2b39710ae0e

SHA1
2514498b4d8f1440cbdbd408fc9ae140fabbcb50

SHA256
88f5ef6e7b0d48fb54472e156c1733d1c436de335d35576dfd055f8413d7423a

SHA512
c7952df03f631b63070be67a8eb718a4d88841d4361608b05b290f1eac9876abe4de0c4f9f3cfd81821d5294e1c9d98743e61b7358c5e62fdaca9b0a0f9d236e

Download Submit
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof

Filesize
172KB

MD5
879da17723d4cfb96c9ab903ff587f11

SHA1
39b0cf2a547e06f475b6727542e11f77918af863

SHA256
57c04f7a149b1d739777a24d7d6927bf940d8f3ec9c306e94e703d05c1953c46

SHA512
6427213e1f9e6033614664ec23321e90f4ed122cef6bd7d803fd43f72bb186179cca42df8a54555b840478fbaf938b59833d411d70dfc1e5363b31a564773bce

Download Submit
C:\Windows\System32\wbem\AutoRecover\A070E510DD6FB900742044F2CD306750.mof

Filesize
25KB

MD5
6e1ab45dbeb4ebbb11eebaf7806674b8

SHA1
2acc0ff0d1dab320f87f14447b2c766aeadbccf9

SHA256
c3a036c1a7428d72faaafdf956c480fba087b63b194eb4ccfb4837febf6ec9f6

SHA512
4b2d967aa71f9dd57a0824acade2c06da068bcfc482a8685ef2071f5ac9e17adeccc94f76822476d14d8d10c0a1ed57316c31223759214029e49c57020f87300

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
435B

MD5
1cc4c3b9bb1657be77939f0b565e315d

SHA1
6a7ff123e96da6f7fb0fd9b7d7600bfc3540ee25

SHA256
9eb3cbb0f65809845890159efdab0ff5a910da34252e7d5cff2929cc2fa6ab6a

SHA512
fd461013902cf1f89485efc1cbdd07bc294253a1b60d9950e27cdb12937cbb39e3491ddb5dfdc4386df87fa44ee4ca9b3be01d7048850337ff9d68156eea78ef

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
1KB

MD5
a656a56b1fda4aa28383160ba6ebea3b

SHA1
bda09bb6f5f28f5470147113e93d46a02853dfe1

SHA256
639cf8acd1fe25a19b9841c9262b4227fcc33bb6658919d31b10ab849253b318

SHA512
fbc74c738bbebb6265688ebec7a6bce18f5a59e98a5417701e5565d5c6e1f8c350da000005fc7441f8a4622043d4a8fd62efe54308cfa59f4ce9ed027dadebae

Download Submit