My research led to the original post here: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/
We are experiencing the same thing almost to the T. This only just started Monday and we haven't made any changes to logging so we are pretty confident it's malicious. It has affected a bunch of our servers.
Some of our older servers weren't patched for the EternalBlue until yesterday. So our fault on that end. We are running the WMILister_30.vbs because it does remove the WMI entries in those posts I have linked. Except they don't stay removed. My thoughts are maybe there is now something else the vbs script needs to look for and remove. Just a thought.